Posts Tagged ‘Trojan’
Tuesday, June 11, 2013 @ 03:06 PM gHale
In the cyber world Trojans usually live a short life and then new ones quickly replace them, but Zeus/Zbot continues moving forward with its variants continuing to perfect man in the middle (MitM) attacks, log keystrokes and grab information entered in online forms.
This Trojan usually spreads in exploit kits via drive-by-downloads, phishing schemes, and social media, however, Trend Micro researchers just found a variant that uses removable drives as another attack vector.
RELATED STORIES
BIND 9 DoS Hole Patched
P2P Botnets Keep Growing
Global Cybercrime Botnet Breached
Reworked Trojans a Major Threat
In this case, the malware variant delivers via a malicious PDF file disguised as a sales invoice document.
Potential victims that attempt to open the file with Adobe Reader get a notice saying it cannot open because “use of extended features is no longer available.”
But in the background, the malware has already silently dropped onto the system and run.
It first contacts its C&C center to download an updated copy of itself (if there is one available), but immediately after it checks whether there are any removable drives connected to the computer, and if there are, it drops a copy of itself in a hidden folder, then creates a shortcut to it.
Friday, June 7, 2013 @ 02:06 PM gHale
There is a new mobile threat that is one of the most sophisticated Android Trojan one researcher has ever seen.
Backdoor.AndroidOS.Obad.a is capable of performing various malicious tasks, including sending SMSs to premium rate numbers, downloading and installing additional malware, and remotely executing console commands, said researchers at Kaspersky Lab.
RELATED STORIES
Global Cybercrime Botnet Breached
Reworked Trojans a Major Threat
Botnet Used in Huge Spam Plot
P2P Botnets Larger than Thought
This malicious software looks more like a Windows malware than an Android Trojan because it exploits a number of unpublished vulnerabilities and it’s highly complex, Kaspersky’s researchers said.
One vulnerability has the Trojan’s developers abusing an error found in DEX2JAR, a piece of software utilized to convert APK files into JAR files. The error in DEX2JAR allowed the cybercriminals to make the statistical analysis of the Trojan highly difficult.
Furthermore, the developers leveraged a vulnerability in the Android operating system to make it difficult to perform dynamic analysis on the threat.
A different Android vulnerability ended up exploited to gain extended administrator privileges, making it impossible to delete the malicious app from the device.
Obad.a only works in background mode – it doesn’t have any visual interface.
Once it infects a device, Obad.a immediately attempts to gain access to elevated privileges. It abuses its Device Administrator rights to block the screen for up to 10 seconds.
During these 10 seconds, if the smartphone connects to an unsecure Wi-Fi network or via Bluetooth, the Trojan starts sending malicious files to the devices it detects nearby.
The “su id” command also allows the threat to try and obtain root privileges.
When first launched, Obad.a collects various pieces of information on the device – including MAC address, operator name, phone number, IMEI and account balance – and sends it back to its command and control (C&C) server.
Then, it awaits commands from the C&C. The malware can then get an order to send text messages to specific numbers and delete the replies, act as a proxy, download files, connect to a specified address, retrieve a list of apps installed on the device, collect contact data, execute commands and send files via Bluetooth.
For the time being, this threat is not very widespread. Kaspersky researchers said of all the malware installation attempts it detected over a 3-day period, only 0.15 percent were from Obad.a.
Google is aware of the Android vulnerabilities exploited by the threat.
Friday, May 31, 2013 @ 03:05 PM gHale
Large botnets ZeroAccess and Sality control over one million infected computers using peer-to-peer communication, while the online banking Trojan Zeus has just reached 200,000 nodes, new research showed.
An international team of researchers got into the networks to determine these figures. As it turns out, the P2P botnets are much more resistant than originally thought regarding attempts to shut them down with targeted operations.
RELATED STORIES
New Trojan can Avoid Capture
Botnet Builds off Ruby on Rails Bug
Ruby on Rails Patches Holes
Botnet Comes Back with DGA Gusto
Conventional botnets receive their orders from a central command-and-control server, which also constitutes their main weak point. If that server shuts down, the botnet master loses control of the infected computers.
Newer botnets, however, are going the decentralization route and using peer-to-peer structures like the ones used in file-sharing networks. In this situation, the infected systems network with each other, and each zombie computer has a list of direct communication partners that belong to the same botnet.
So far, the strategy for figuring out the size of a P2P botnet has been to query peer lists from known bots and then go from one to the next in the hope that, eventually, all of the infected systems will end up tracked. Such “crawling”, however, results in figures that are far too low, said Christian Rossow of VU University Amsterdam, The Netherlands and Institute for Internet Security, Gelsenkirchen, Germany, Dennis Andriesse of VU University Amsterdam, The Netherlands, Tillmann Werner of CrowdStrike, Inc., Brett Stone-Gross of Dell SecureWorks, Daniel Plohmann of Fraunhofer FKIE, Bonn, Germany, Christian J. Dietrich of Institute for Internet Security, Gelsenkirchen, Germany and Herbert Bos of VU University Amsterdam, The Netherlands, who sneaked their own systems into the P2P botnets. Those systems actively participated in communication and were thus able to register all the active bots. In just one day, their sensors detected more than 920,000 computers under the control of one instance of Sality. The crawlers had found only 22,000 of the botnet’s victims.
One major reason for the differences is botnet clients are quite picky these days about which computers they add to their active peer list. Home computers, for example, are almost never included, since it is difficult to get past a NAT router from the outside.
There’s more bad news when it comes to shutting these botnets down. One approach frequently discussed is sinkholing, in which security specialists try to fill the bots’ peer lists with their own systems’ addresses in order to put a stop to communication within the P2P network. In their investigation, however, the researchers realized some of the P2P botnets are more resistant to that strategy than originally thought. A case in point, Sality has an internal reputation system for communication partners, and it is difficult to take the place of a real bot with a high rating in the peer list.
Researchers’ findings come mainly from analysis of actual bots. In their paper, “P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets“, researchers present a method for describing P2P botnets with formal models that can then also simulate certain operations.
Thursday, May 30, 2013 @ 05:05 PM gHale
A new banking malware can now target ecommerce and comes with features to help it avoid capture from the common security approaches.
Beta Bot underwent a refinement over the last few months and it is now ready to go, according to research conducted by RSA Security’s Limor Kessem. The bot started out in January as an HTTP bot and then made the gradual transition to a banking Trojan. Kessem, who’s part of RSA’s Cybercrime and Online Fraud Communications’ division, said Beta Bot has quite a few attack vectors.
RELATED STORIES
Botnet Builds off Ruby on Rails Bug
Ruby on Rails Patches Holes
Botnet Comes Back with DGA Gusto
Botnets Attack Israeli Websites
The malware has been seen targeting everything from large financial institutions to social networking sites, along with “payment platforms, online retailers, gaming platforms, webmail providers, FTP and file-sharing user credentials … domain registrars for the common malware use of registering new resources,” Kessem said.
The bot deploys on machines after a user clicks through and allows it. Once it’s in though, the malware has an array of self-defense mechanisms.
Users whose machines end up infected by the malware will find themselves unable to reach whatever antivirus and security provider websites the attacker selects, he said. When trying to reach one of those sites, they will end up redirected to an IP address of the attacker’s choosing instead.
The malware knows better than executing in virtual machines and can avoid sandboxes as well, Kessem said. It can even block other types of malware from spreading on the system by “terminating their processes” and blocking code injections.
The Trojan goes on to log stolen data in a MySQL database, download malicious files, remotely control the infected PC and trick users into making fake banking transactions.
Kessem said he spoke with Beta Bot’s developer who said he is selling binaries for the malware and providing technical support but doesn’t plan to sell the builder, opting instead to keep it private. Builds can be purchased though for between $320 and $500 with a customized server-side control panel interface in underground online forums.
Banking Trojans are continuing to grow more sophisticated in order to stay ahead of curve of advanced detection methods.
Shylock, the credential-swiping Trojan that relies mainly on man-in-the-browser attacks, began to weed out less profitable banks last month and updated its infrastructure to avoid downtime. Developers behind the Zeus Trojan started selling tweaked versions of the malware in April, complete with customized botnet panels, via social networks like Facebook.
Monday, April 8, 2013 @ 02:04 PM gHale
Yes, it focuses on the banking industry and it doesn’t really work in the manufacturing automation sector, but the credential-stealing Shylock Trojan is growing increasingly sophisticated, a new report said.
Its level of sophistication keeps rising because its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report.
RELATED STORIES
Bitcoin Services Under Attack
Skype Malware Helps Mine for Bitcoins
Live Kelihos Botnet Takedown
Stronger, Smarter Botnet Appears
Shylock makes its loot via man-in-the-browser (MiTB) attacks designed to pilfer banking login credentials from a predetermined list of target organizations. Symantec said Shylock is targeting more than 60 banks and financial institutions mostly in the United Kingdom but also in the United States and Italy. From its inception in July 2011 until around May of 2012, Shylock was only targeting institutions in the UK, so this global expansion is part of the Trojan’s new look.
The malware’s creators are also refining the target list to root out less valuable banks that have either become harder to compromise or no longer provide services for high-value clients.
Shylock’s list of potential features includes an archiver that allows it to compress and upload recorded video files to remote servers, a BackSocks mechanism that allows Shylock to use infected machines as proxy servers, a diskspread functionality that lets Shylock spread via removable drives, an ftpgrabber module that supports password theft from various applications, an MsgSpread which gives Shylock the ability to proliferate through Skype instant messages, and a VNC that provides attackers with a remote connection to compromised devices.
Shylock’s creators aren’t just refining their target list and adding features to expand its capabilities and reach; they’re also fortifying its infrastructure to avoid downtime.
Symantec is finding Shylock samples that shuffle traffic between its servers to help balance the load during high-traffic periods. Shylock has three types of servers that Symantec knows of: Command and control servers, VNC and BackSocks servers that let attackers perform remote transactions, and Javascript servers that handle the actual business of injecting code to intercept traffic during MiTB attacks.
Shylock possessed the ability to move itself over Skype messages since January. Before that, its most substantial upgrade happened in November of last year, when its creators added a detection-evading function that let them determine whether the virus was executing organically on a computer or if researchers were opening it in a virtual machine to pick it apart.
Thursday, April 4, 2013 @ 04:04 PM gHale
The leaders behind the Carberp Trojan and other developers that helped create it are under arrest in Ukraine in a joint investigation by the Security Service of Ukraine (SBU) and the Russian Federal Security Service (FSB).
In a major operation, police busted what they said were the gang’s ringleaders, two Moscow-based brothers in their late 20s, one of whom was also a suspect in a real estate fraud case.
Six accomplices of the pair were also under arrest.
RELATED STORIES
Android Bank Apps Steal SMS
Trojan Hides in File, Evades Sandbox
Malware Uses Note Taking Service
Mac Trojan Injects Ads into Sites
“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialized banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” said Ilya Sachkov, chief executive of Group-IB, a security firm that helped investigate the gang’s attacks.
The rest of the group — 20 people all between 25 and 30 years old — were living, working and arrested in Kiev, Zaporozhye, Lvov, Odessa and Kherson, police said.
Each of them worked remotely, and were responsible for the development of one part of the malware, officials said. They would send their work to a server in Odessa, where the gang leader would apparently assemble the pieces into the final product. Developers constantly worked on and changed the malware to evade AV detection.
Carberp is a banking Trojan that steals information that attackers can subsequently use to break into individuals’ and businesses’ online banking accounts. It also has a mobile component that allows criminals to steal mobile transaction authentication numbers sent by banks.
A little over a year ago a Russian gang used the Trojan to steal over $2 million from the bank accounts of over 90 individuals. That criminal ring ended up dismantled. Late last year RSA officials said the team that developed the Trojan has begun to sell it and rent it to anyone who could afford it.
According to the Ukrainian news outlet, some of the arrested men are already out on bail, while others are still under house arrest. If they end up convicted in Ukraine court, the maximum prison sentence they can get is five years. Some of the arrested individuals have Russian citizenship, so they may end up extradited and tried in their native country.