The Italian chapter of the Honeynet Research Alliance
In the latest of a series of arrests to be made in relation to online bank fraud, the Met’s e-crime unit has struck again, taking 19 alleged cyber-criminals into custody.
The gang is suspected of having stolen some £6 million over the last three months, according to the BBC News (just enough money for them to be able to construct their own bionic man).
In this post, we are going to talk about a better alternative planned by a ZeuS gang: infect the mobile device and sniff all the SMS messages that are being delivered. The scenario is now easier:
1. The attacker steals both the online username and password using a malware (ZeuS 2.x)
2. The attacker infects the user’s mobile device by forcing him to install a malicious application (he sends a SMS with a link to the malicious mobile application)
3. The attacker logs in with the stolen credentials using the user’s computer as a socks/proxy and performs a specific operation that needs SMS authentication
4. An SMS is sent to the user’s mobile device with the authentication code. The malicious software running in the device forwards the SMS to other terminal controlled by the attacker
5. The attacker fills in the authentication code and completes the operation.
via S21sec Security Blog: ZeuS Mitmo: Man-in-the-mobile (I).
The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.
via Zeus botnets’ Achilles’ Heel makes infiltration easy • The Register.
The full blog post here.
[..]
Over the years Zeus has been released in a lot of different versions, adding or changing functionality, and is highly flexible in it’s configuration so this is just a snapshot of one version (1.2.7.19), giving an overview of it’s functionality.
In the early part of this blog I will disclose the process involved in building and distributing Zeus botnet in the wild. In the later part, I will discuss how Zeus captures personal information by injecting code dynamically, and finally some thoughts on Command and Control.
[..]
Basically, the scam works like this: The botmaster acquires some freeware utility or legitimate program, renames it, claims it as his own and places it up for sale at one of several pre-selected software sales and distribution platforms, including ClickBank, FastSpring, eSellerate, SetSystems, or Shareit. The botmaster then logs in to his SpyEye control panel picture above, feeds it a list of credit card numbers and corresponding cardholder data, after which SpyEye opens an Internet Explorer Window and — at user-defined intervals — starts auto-filling the proper fields at the botmaster’s online store and making purchases.
via SpyEye Botnet’s Bogus Billing Feature — Krebs on Security.
During a recent investigation into a server hosting SpyEye, we noticed that there were several open directories that led to other control panels. SpyEye was also the same malware family that recently targeted Polish users. One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so we named it after the server, “Spencerlor.” The investigation led to the discovery of what seems to be three botnets running on one server, which appears to be operated by at least two remote users, as the logs revealed.
[..]
These screenshots clearly show the constant improvements that bot control panels undergo. As shown here, cybercriminals are finding newer means to automate money transfer.
via One Server, Multiple Botnets | Malware Blog | Trend Micro.
Security researchers have discovered another botnet that uses Twitter as a command and control channel.Malware-infected drones in the Mehika Twitter botnet, active in Mexico this summer, take instructions from a Twitter account maintained by hackers instead of conventional command and control servers. The use of Twitter as a botnet command channel was first detected in August 2009 before similar techniques were applied to abuse Facebook profiles as command channels a few months later in November.
via Mexican Twitter-controlled botnet unpicked • The Register.
[..]According to their respective configuration files, the versions of these samples are 1.3.7.0 and 1.4.1.3. Let’s see the most relevant differences in comparison with the most common versions:[..]
– Encrypted connection. Both the downloading of the configuration file and access to the control panel are made through SSL connection. This is new; both 1.x and 2.x perform an HTTP connection in plain text, sending the encrypted data along with their respective algorithms.
– Change of encryption. The encryption used is the RC4 seen to date, but with a slight change in its “step”. It doesn’t use the xor encryption layer used by versions 2.x
[..]
[..] but I can assure you the site’s designers sure did a superb job making it look legitimate. Included on nearly every page are pictures of fellow “employees,” and exemplary trainees, which are really just photos lifted from dozens of random Web sites. Among my favorite areas of the site is the Agent Awards section, which includes a couple of photos swiped from Travel Weekly.
We were able to further investigate a command-and-control C&C server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.
via Uncovered Spyeye C&C Server Targets Polish Users | Malware Blog | Trend Micro.
