The latest to hit is a spam e-mail claiming to be from the Facebook team that actually spreads a nasty piece of malware called Bredolab. It’s also been observed the trojan will connect to additional servers to install more malware.

The ultimate goal as usual is to make the victims part of a botnet.

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.

Researchers at several security firms have tied the Bredolab Trojan to a spam campaign targeting Facebook users.

The malware is being blasted out by spammers in e-mails claiming to come from “The Facebook Team.” Inside the e-mails is a message that the recipient’s Facebook password has been changed. In order to get the new one, recipients are told to open the accompanying attachment containing the malware.

Researchers at Websense told eWEEK Oct. 27 that they have observed more than 350,000 of the messages. On the company’s blog, researchers explained that the malware connects to two servers to download additional malicious files. Among them is Pushdo, also known as Cutwail.

This spam campaign seems to be generating some fairly high levels of traffic meaning whoever is behind it is pretty serious and committed to this vector for disseminating malware.

Social engineering isn’t a new method for propagating malware as always the weakest link is never the technological barriers but is always the stupidity/greed/gullibility of humans.

You can ALWAYS hack the wetware.

“One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails,” according to M86 Security.

MX Logic noted that Bredolab bypasses firewalls by injecting its own code into the legitimate process svchost.exe and explorer.exe. It also contains anti-sandbox code to thwart researchers, and creates the following files: %AppData%\wiaservg.log, %Windir%\temp\wpv861256600826.exe and %Programs%\Startup\isqsys32.exe. Bredolab also creates the processes isqsys32.exe and svchost.exe.

Sophos is detecting the malware as Troj/BredoZp-M or Mal/Bredo-A.

“Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software,” Graham Cluley, senior technology consultant at Sophos, advised in a blog post.

It looks like a pretty advanced piece of malware code which evades firewall measures and even tries to thwart analysis by AV companies.

Anti sandbox code and process injection, these bad guys are getting smart.

That does not bode well for the average citizen.

Source: eWeek

It was uncovered recently that it was being used as a Botnet Control Channel, shortly before that it was subjected to a DoS attack.

This isn’t the first time DMs have been used in a Phishing attack too.

Phishers are targeting Twitter users in a new attack involving direct messages sent to Twitter users containing a link to a site requesting user log-ins.

There are reports of a new phishing scam making the rounds on Twitter. The attack seeks to steal user credentials by sending tweets out with links to a phishing site. The attack site requests the user’s log-in information; once the attackers have that, they can take over the account of the victim and use it to send out more messages.

According to messages from Twitter users, the tweets with the link to the phishing site have to do with the sender supposedly making a certain amount of money. Such periodic phishing attacks on users of the popular microblogging service have become a fact of life.

I’m not exactly sure why anyone would want to steal a bunch of Twitter accounts? Perhaps to monetize them somehow with spam/affiliate schemes.

But the current threat on Twitter is a phishing scam executed via DM with a link to various things including ways to make money, a video of you or some other juicy gossip.

The cornerstones of social engineering in phishing attacks.

In May, researchers at Sophos reported that a number of Twitter users were lured to a phishing site via a tweet with the message: “check this guy out [tinyurl address leading to the attack site].” As was the case in that instance, URL shortening services are increasingly being abused by attackers to mask the Websites they are sending their victims to.

Besides drawing attackers as it has grown, Twitter has also gotten the interest of security researchers, as shown by the “Month of the Twitter Bugs.”

Twitter warned users about the attack, stating in a message: “A bit o’ phishing going on—if you get a weird direct message, don’t click on it and certainly don’t give your log-in creds!”

If you are using Twitter you should follow @spam and keep up to date with what is happening on the network.

Source: eWeek

It seems like with China pumping out the most malware this might be a very useful project, they have designed it quite intelligently too meaning it’s useful for many applications.

A Chinese company that has created a massive database of malware found on Chinese Web sites opened up the information to other security organizations on Thursday. Beijing-based KnownSec gathered the viruses and other information with a crawler that scans nearly 2 million Chinese Web sites each day, Zhao Wei, CEO of the security company, said in an interview in Beijing. He planned to give a presentation on the subject at the Forum of Incident Response and Security Teams (FIRST) security conference in Kyoto, Japan this week.

The database covers more Chinese Web sites and provides more up-to-date information about their security than any other, Zhao said in the interview. China produces the majority of the world’s malware, he said. A history for each site in the database lists dates of malware infection, the strings of malicious code placed on the sites and which antivirus products defend viewers against their attacks. The database also stores tens of thousands of viruses found being distributed by the sites.

Apparently according to McAfee with the current rate of malware growth in China, it could be doubling every year.

And phishing is starting to wake up in China, so get ready for more spam and scam e-mails with terrible English.

KnownSec each day finds more than 100 Trojan downloader files that have never been seen before, Zhao said. Each of those can direct a victim’s PC to download up to ten viruses. The database also has a list of Web sites that are currently compromised. Only about half of the newly infected sites KnownSec finds each day are also listed by Google as dangerous, said Zhao.

Google labels search results it has found to be potentially dangerous during scans of its index. When asked for comment, a Google spokeswoman said organizations need to work together to identify online threats and stamp them out. Security companies and national computer emergency response teams can request access to the KnownSec database, Zhao said. Security companies could use the information to shield users of their antivirus programs against new malware threats, he said.

The majority of the malware is password stealing trojans, which I’d imagine are targeted at users within China themselves and users of China based banks.

The phishing attacks are targeting these same users, either way be careful. It looks like China is jumping into the malware/phishing/spam arena with both feet so expect a rise in threats.

Source: Network World

The biggest news last week was most certainly his death, as usual the bad guys were extremely quick to capitalize on this and were sending out spam within hours of the announcement.

It was suspected malware would follow shortly after, and it did according to F-secure.

Within hours of the death of pop star Michael Jackson, spam trading on his demise hit inboxes, a security firm said today as it warned that more was in the offing.

Just eight hours after news broke about Jackson, U.K.-based Sophos started tracking the first wave of Jackson spam, which used a subject head of “Confidential — Michael Jackson.” The spam wasn’t pitching a product or leading users to a phishing or malware Web site, but instead was trying to dupe users into replying to the message in order to collect e-mail addresses and verify them as legitimate.

“The body of the spam message does not contain any call-to-action link such as a URL, e-mail or phone number,” said Sophos in its company’s blog today. “But the spammer can harvest receivers’ e-mail addresses via a free live e-mail address if the spam message is replied to.”

The original versions were just plain old spam to harvest addresses, but later malware laden versions followed which dropped IRC bots and backdoors detected as “Trojan.Win32.Buzus.bjyo”.

It’s sad to see such things happening, but social engineering attacks to spread malware are always expected when some big news like this breaks.

Nothing is sacred to the dark side of the Internet.

The timing of that campaign was not coincidental: It followed Jackson’s acquittal on all charges in child sexual abuse. “The news of his suicide attempt was believable,” said Cluley, who noted that scammers and hackers often trade on tragedies to get people to click links. In that case, users were hit with a hacker toolkit that tried several exploits against Internet Explorer.

“I wouldn’t be surprised to see hackers claiming that they have top-secret footage from the hospital, perhaps [allegedly] taken by the ambulance people, that then asks you to install a video codec,” said Cluley, talking about a common malware ploy. Users who click on the supposed codec update link are, in fact, then infected with attack code, often a bot that hijacks their computer.

So do warn people, if someone e-mails them pictures or videos claiming to be secret or exclusive footage surrounding the death of Michael Jackson – it’s most likely an infection vector.

Common sense prevails, but is sadly not common.

RIP Michael.

Source: Network World

More people with websites means more FTP details to be stolen, and more websites to be spammed up by malware propagators.

With that sentiment, Gumblar is gaining more traction poisoning Google search results.

A Web attack that poisons Google search results is getting worse, according to security researchers.

The attack first relies on compromising normally legitimate website and planting malicious scripts. US CERT reports that stolen FTP credentials are reckoned to be the main technique in play during this stage of the attack but poor configuration settings and vulnerable web applications might also play a part.

Surfers who visit compromised websites are exposed to attacks that rely on well-known PDF and Flash Player vulnerabilities to plant malware onto Windows PCs.

This malware is designed to redirect Google search results as well as to swipe sensitive information from compromised machines, according to early findings from ongoing analysis.

Unsurprisingly the infection vectors are still the same, the recent PDF and Flash exploits. You can bank on the majority of people not installing the updates and still being vulnerable.

As always make sure any networks you manage are updated and the people you know have the latest versions of the software they use to read PDFs and Flash Player.

The SANS Institute’s Internet Storm Centre (ISC) adds that the attack has been around for some time but has intensified over recent days. Initially the malware was served up onto vulnerable Windows clients from the website gumblar.cn, which has been offline since Friday. A second domain – martuz.cn – has taken over this key role in the attack, ISC reports.

Web security scanning firm ScanSafe, which was among the first to warn of the rise of the attack, notes that the reference to martuz.cn in more recent attacks has been obfuscated, possibly in an attempt to thwart rudimentary blacklists. “The URI resulting from the injected script might appear as mar”+”tuz.cn instead of just martuz.cn,” writes ScanSafe researcher Mary Landesman.

ScanSafe reported on Monday that Gumblar more than trebled (up 246 per cent) over the preceding week. It describes Gumblar as a botnet of compromised websites in a series of blog postings on the attack, which can be found here. Sophos reckons the Gumblar-related malware appeared in 42 per cent of all the newly infected websites it detected last week.

From the domains being used it seems probably that this attack originated from China, perhaps they are starting to cash in on the malware distribution/spam/info trading scene online.

If they can from behind “The Great Firewall of China“.

It seems like the Gumblar activity has intensified significantly in recent weeks though so do watch out for it. Make sure anyone who has FTP access to any websites you run has a secure system.

Source: The Register

It seems like Torpig has been pretty active since then and the latest break is that some security researchers have managed to infiltrate the botnet and collect some data on what it’s doing.

I always enjoy reading about these ‘insider’ stories though as it’s hard to know unless someone gets access what these botnet fellas are really achieving.

Security researchers have managed to infiltrate the Torpig botnet, a feat that allowed them to gain important new insights into one of the world’s most notorious zombie networks by collecting an astounding 70 GB worth of data stolen in just 10 days.

During that time, Torpig bots stole more than 8,300 credentials used to login to 410 different financial institutions, according to the research team from the University of California at Santa Barbara. More than 21 percent of the accounts belonged to PayPal users. Overall, a total of almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.

One of the secrets behind the unusually large haul is Torpig’s ability to siphon credentials from a large number of computer programs. After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors.

It seems like once Torpig is dug into the machine it can get hold of everything, being based on a low level rootkit it can intercept anything including important credentials from financial institutions and money services like Paypal.

The numbers are quite huge with the malware having the ability to steal all kinds of accounts and access details from both software and web based applications.

In all, the researchers counted more than 180,000 infected PCs that connected from 1.2 million IP addresses. The data underscores the importance of choosing the right methodology for determining the actual size of a botnet and, specifically, not equating the number of unique IP addresses with the number of zombies. “Taking this value as the botnet size would overestimate the actual size by an order of magnitude,” they caution.

Torpig, which also goes by the names Sinowal and Anserin, is distributed through Mebroot, a rootkit that takes hold of a computer by rewriting the hard drive’s master boot record. As a result, Mebroot is executed during the early stages of a PC’s boot process, allowing it to bypass anti-virus and other security software.
By infiltrating Torpig, the researchers were able to become flies on the wall that could watch infected users as they unwittingly handed over sensitive login credentials. One victim, an agent for an at-home, distributed call center, transmitted no fewer than 30 credit card numbers, presumably belonging to customers, the researchers guessed.

The number of unique IP addresses per infection is quite interesting too and it shows if you estimate the size of a botnet by unique IP addresses you could easily be out by a factor of 5.

And wow, infecting a call center PC dealing with credit cards? That must be a botnet masters wet-dream – that really is a gold mine.

Imagine if they could spread the infection through the whole call-center, they would be rolling in credit card details.

Source: The Register

Well it looks like the spammers have got their acts back together as spam levels are back up to 91% of their previous volume.

Having McColo shut down was nice, but honestly did anyone think it was going to have a serious long term effect on spam? I didn’t…the spammers are going to find another ISP they can use, even if it’s in another country.

Junk e-mail now back to 91% of its usual levels, says Symantec.

The days of blissfully empty in-boxes are long gone – get ready for another onslaught of spam. Symantec’s monthly State of Spam report, out today, shows that levels of spam are approaching the dizzy heights they reached last year, before the sudden shutdown of rogue hosting company McColo.

It estimates that spam now comprises about 85 per cent of all email traffic, thanks to old bot-nets being brought back online and new ones created.

So if you’re a sys-admin and you’ve been enjoying the break from super high volumes of spam – be prepared for it to start pouring back in again.

It seems like South America is seeing a rise in spam activites too, perhaps due to the spread of Internet connectivity and broadband rollout.

You often see the numbers of compromised machines in a country or region is extremely high when they first get connected (remember when Korea came online?).

The EMEA (Europe, the Middle East and Africa) region continues to be the leading source of all zombie IP addresses, hosting 45 per cent of active zombie computers in March 2009 – although Brazil has seen a surge in compromised computers. It now has 14 per cent of all the world’s zombie machines.

Despite these figures, the US continues to be the main source of spam messages (accounting for a full quarter of all spam sent) – the UK has the dubious honour of rounding out the top ten, with a 2 per cent share.

Symantec has also noticed a change in spam subject matter, from get-rich-quick schemes to the sad business of avoiding having your home repossessed.

One ray of spring sunshine – video spam has not taken off as some experts feared. The most common size of spam email (75 per cent of all sent) is a featherweight 2 to 5 KB.

Seems like even the nature of spam is changing to accommodate the recession, these spammers really capitalise on whatever is going on in the World.

I guess that’s why it works and why they still keep spamming, basic social engineering and greed work very well together.

Thankfully no video spam though, imagine if you’re on mobile data…and you start receiving 1-3mb spams!

Source: Techradar (Thanks Navin)

I guess it’s hard to control a 3rd party call center though and who works there of course. I guess from now on they will be running their ship a little bit tighter, I’ve conducted audits on centers which deal with financial information before and the security was insane. Unless you etched the info into your body with a paperclip there’s no way you were getting it out of there.

A criminal gang selling UK credit card details stolen from Indian call centres has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man. The seller denied any wrongdoing and Symantec corporation, from whom three victims bought a product via a call centre, called the incident “isolated”. Card fraud totalled £609m during 2008, according to payments group Apacs.

Symantec said it requires rigorous security measures of any third-party call centre agents and it believed the breach had been limited to a single agent. The BBC team went to India on a tip off after being put in touch with a man offering to sell stolen credit and debit card details.

The price they charged is quite high too, more than double the normal online rate for purchasing dodgy credit card details. I guess they could fetch a premium though being UK cards and having a high chance of being active, valid cards.

It turns out the info wasn’t that accurate, but it was good enough to commit some online fraud.

He told the pair he could supply them with hundreds of credit and debit card details each week at a cost of $10 dollars a card. After the reporters agreed to initially buy the details of 50 cards, the man handed over a list of 14. He said the remainder would be sent later by e-mail.

The man claimed some of the numbers had been obtained from call centres handling mobile phone sales, or payments for phone bills. Back in the UK, the broker continued to supply card details to one of the undercover reporters by email.

Nearly all of the names, addresses and post codes sold to the BBC team were valid. But most of the numbers attached to them were invalid – often out by a single digit. However, about one in seven of the numbers purchased were valid – active cards still in use by UK customers. Their owners could have been subjected to fraud if these cards had fallen into the hands of criminals.

It just goes to show, even when you’re not being phished you’re still in danger of being conned and defrauded.

Just be careful what you buy and how you buy it, I’d say buying online from a HTTPS site with a valid certificate from a real CA is much safer than doing it over the phone.

But then that’s just me.

Source: BBC News

It seems like the Conficker authors are really serious about retaining control of their botnet and expanding it further without hindrance from the companies trying to stop them.

It’s quite likely they are netting some serious cash from the network of infected computers, with estimates at over 10 million now that’s a large collection of computers for brute forcing, e-mail spam or DDoS attacks.

The authors of the latest variant of the Conficker worm are upping the ante against security vendors who are working to stop the spread and threat of the persistent program.

Conficker.C shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also is programmed to begin connecting to 50,000 different domains on April 1 to receive updated copies or other malware, as opposed to connecting to 250 domains a day as previous versions are doing, Ben Greenbaum, senior research manager for Symantec Security Response, said on Friday.

The authors of the code are “strengthening their hold on their collection of infected machines at the same time they are attempting to strengthen their ability to control those machines by moving to 50,000 domains,” he said.

A self-described “cabal” of companies, including Microsoft, Symantec, and a host of domain registration providers, have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.

They are getting sneaky now, targeting security software and services on an infected PC and blocking it from accessing related sites that could help a user fix the infection.

Plus they have expanded their ‘update’ domains to 50,000 – which will take a huge effort to get all of the domains blocked.

I wonder what the next step will be in protecting again this?

Now that Conficker.C is targeting 50,000 domains, the group has its work cut out for it, Greenbaum said. Regardless, “it’s unknown at this point whether (boosting the domains) is an effective sidestep around the cabal’s actions,” he said.

The worm, also called Kido or Downadup, was first detected in November and is believed to have infected more than 10,000 computers. The first two versions exploit a vulnerability that Microsoft patched in October.

The second variant, Conficker.B, was detected last month. It added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on Friday, Sophos said last week. However, a Southwest spokesman said there had been no impact to the site from any additional traffic as a result of Conficker.

I hope this stays as just Conficker, if there’s another large scale breakout we might be in trouble again. There is a way to remove it though, so if you know anyone that has managed to get themselves infected you can give them the below links:

• Enigma Software Group Conficker Removal Tool
• BitDefender Conficker Removal Tool

Source: Cnet (Thanks Navin)

They claim it’s not illegal as they caused no harm and only sent spam to e-mail accounts used by themselves. Technically I think it’s still breaking the law under the Computer Misuse Act but most likely nothing would happen as they caused no damage or losses (According to lawyer Struan Robertson BBC did violate the act).

Software used to control thousands of home computers has been acquired online by the BBC as part of an investigation into global cyber crime.

The technology programme Click has demonstrated just how at risk PCs are of being taken over by hackers. Almost 22,000 computers made up Click’s network of hijacked machines, which has now been disabled.

The BBC has now warned users that their PCs are infected, and advised them on how to make their systems more secure. Click managed to acquire its own low-value botnet – the name given to a network of hijacked computers – after visiting chatrooms on the internet.

The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law.

The whole thing has created quite a furor in the computer security scene, with people debating the legality and ethics involved.

Which was probably what the BBC wanted in the first place, the more people talk about it the better right?

SMH even claim the whole thing back-fired.

By prior agreement, Click launched a Distributed Denial of Service (DDoS) attack on a backup site owned by security company Prevx. Click then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.

Amazingly, it took only 60 machines to overload the site’s bandwidth. DDoS attacks are used by extortionists who threaten to knock a site offline unless a hefty ransom is paid. Jacques Erasmus from Prevx said that high-traffic websites with big revenues are a “massive target” for this kind of attack.

“Cyber criminals are getting into contact with websites and threatening them with DDoS attacks. “The loss of trade is very substantial so a lot of these websites just pay-up to avoid it,” he explained.

But well pushing the boundaries, that’s what investigative journalism is about right? We’ve had enough programs about pimps, triads and drugs – why not some about cybercrime and the underbelly on the Internet.

I hope I manage to view the show, it sounds like it’ll be interesting (even if ethically questionable).

But well aren’t all the best things on that thin grey line?

Source: BBC