A new report by security researchers claims that Google’s reCAPTCHA system is flawed – so flawed that it would allow a botnet with just 10,000 zombies to manage 10 recognition successes an hour resulting in over 850,000 fake accounts being registered each day. The researchers say the flaw is the same one that has plagued all CAPTCHA services -the human factor- but with a twist.

The Koobface botnet is distributing a new variant of its Trojan that forces the user of the computer it infects to solve a CAPTCHA. The user is presented with a Windows pop up directing them to solve the CAPTCHA provided or their system will be shut down. The solved CAPTCHA is then sent to the botnets C&C channel and used to create a fake Blogspot blog which is populated with content from Google News. Koobface uses SEO techniques to insure these blogs are packed with hot topics and sure to appear at the top of search engines. The links in these fake blogs redirect to a fake Facebook page where the user is directed to download a “flash player update” which is really the Koobface Trojan. The same technique is used to create fake Gmail and Facebook accounts which are also used to distribute the malware. Once Koobface infects a system it steals credit card numbers and other personal information.

The underground economy of human driven CAPTCHA solving is booming as well, further weakening the effectiveness of CAPTCHA systems. Services offering bulk orders of solved CAPTCHAs for Web 2.0 and social media services are exploding and prices are lower than ever. One service offers 1 million solved CAPTCHAs for $800. However, with Koobface taking CAPTCHA solving into its own hands, other malware distributors may follow suit, leading to the CAPTCHA solving industry’s demise.

Google denies that their reCAPTCHA is flawed, claiming the data used in the report is outdated.

           “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” said a Google spokesman. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Amazon’s EC2 service is the latest cloud-based service being exploited by the Zeus Trojan. Security researchers have discovered the Trojan is using EC2 as one of its command and control centers. PCs that have been infected with the malware and turned into zombies report to the service for updates, instructions and possibly even more malware.

         “We believe this was a legitimate service that was purchased and compromised via a vulnerability” such as a weak password, Don DeBolt, CA’s director of threat research, told The Reg. “It could have been any vulnerable system on the internet.”

Other services that Zeus has been using as C & C centers include Twitter, Facebook, and Google Apps. Such sites are attractive to botnet herders because they are cheap, easily available and simply don’t set off any alarms or notifications when the zombies connect to them. Another thing that makes them attractive is that unlike obscure Chinese or Russian domains, blacklisting such popular services simply isn’t likely to ever happen. In effect they are using these services as camouflage.

Amazon shut down the infected EC2 channel after being notified, but it likely won’t keep Zeus down for long. Cybercriminals have invaded the Cloud and are here to stay.

A new wave of malicious spam makes promises of a free MacBook Air but delivers malware instead. The spam messages were only recently detected and arrived with the subject line “Congratulations!” The body of the message reads “Congratulations! You have won todays Macbook Air. Please open attached file and see details.”

The file is an .exe file that installs malware on to the system. The malware has been identified as TROJ_AGENT.AWYQ.  Once installed it drops TROJ_CUTWAIL.GO, which adds the infected computer to the Cutwail/Pusdo botnet. A spam module is downloaded along with one or more “Campaign modules” which contain third party malware from a number of different sources. It’s also programmed to connect to web based email providers it detects the the infected computer has logged into like Hotmail, Yahoo! and GMail and send out copies of itself.

Cutwail/Pushdo is one of the largest botnets in the world, sending out millions of spam messages a day.

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.

Gumblar uses SQL injection to infect Web servers.

Malware watchers are reporting that Gumblar botnet is working its mischief once again, this time on a larger scale than ever. The malicious software first attracted the notice of White Hats this spring when it used SQL injection attacks to infect legitimate websites–sites such as Tennis.com, Variety, and Coldwellbanker.com–and spread itself to the personal computers of visitors to those netposts. SQL injection attacks are performed on the database layer of an application. They take advantage of vulnerabilities in the layer that can be exploited by input that produces unintended consequences, such as forgetting to authenticate a user’s identity.

After making its initial splash, its activity abated only to experience a revival at the end of the summer. Now it’s running wild again, according to security researchers, infecting hundreds of trusted sites and through them, thousands of PCs.

In its birth form, the badapp poisoned a site’s back end server or used an iFrame or other ploy to redirect a visitor to black server for a proper fleecing and contamination. The use of iFrames has become a popular ruse of cyberbandits. Once injected into a trusted site, it redirects a browser to another iFrame that executes clandestine javascript code on an unsuspecting keyboard jock’s computer. The code then connects to Net places where more code is secretly executed to exploit vulnerabilities in a target system. Crackers leverage those vulnerabilities to gain control of a user’s computer and filch usernames, passwords and other information from the system. It also looks for FTP credentials so it can infect more servers.

Continue reading Gumblar has new face on ugly head»

A recently discovered Trojan has a sneaky and disturbing new trick up its sleeve. It can alter a victim’s online bank statement. Dubbed URLZone, the Trojan is able to alter HTML coding before it’s displayed. This lets it rewrite bank statements to hide the fraudulent activity underway. This buys the scammers more time to clean out the account.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” says Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan. “It’s a very sophisticated technique. They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there. If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

The money is then sent to money mules who were tricked into doing the scammer’s dirty work. Most fell for the fake job posting spam advertising a lucrative work at home position and have no idea they are being scammed too.

URLZone is controlled by a server in the Ukraine. While officials there announced they had suspended its domain, count on it to simply find a new home. As we saw after the McColo shutdown last year it doesn’t take long at all for hackers and scammers to set up shop somewhere else. Finjan says the URLZone operation could easily make over $7 million a year.

The Zeus Trojan is a favorite of muleskinners.

Money muling, until recently, has been used by information highwaymen to prey on unwitting consumers. Muleskinners had modest goals. Their scams ranged from $200 to $2000. Their targets were consumers with more greed than sense. Recent muling patterns, however, indicate that these fraudsters are expanding their ambitions and hatching cons to snatch larger amounts from small businesses.

• In May, a Texas company was clipped of $1.2 million with the help of some 40 “mules.”
• In July, muleskinners in the Ukraine skimmed $415,000 from accounts for Bullit County, Ky. The county realized something was askew when it found unauthorized wire transfers of $10,000 or less from its payroll coffers were being made to accounts of at least 25 people across the country. In the United States, money transfers must exceed $10,000 before they are subject to special reporting requirements under the Bank Secrecy Act of 1970.
• In September, Downeast Energy & Building Supply, a heating and hardware firm in Brunswick, Maine, saw $200,000 disappear from its online bank account, siphoned into the accounts of at least 20 individuals nationwide.
• This month, the Pease Development Authority, the agency that manages ports in the Portsmouth, N.H. area discovered about $100,000 in transfers instigated by muleskinners.
• Also this month, thieves attempted to transfer $87,000 from the accounts of the St. Isadore Catholic Church in Danville, Calif. to about a half dozen mules, but were thwarted when the church’s bank blocked the transfer.

A  key component of these scams are money mules. They are individuals recruited through blind employment ads posted on the Internet or through spam mailings. On some occasions, mules have been initially recruited as copy editors and proofreaders hired at minimum wage to clean up spam letters used to recruit more mules. When pressed for payment for the editing work, a muleskiner will attempt to recruit the editor as a “local agent” for transferring money.

Continue reading Money mulers expanding horizons»

Malware is fundamentally a cultural problem, according to an octet of academics who hijacked control of a malicious computer network, or botnet,  for 10 days earlier this year.

“[T]he victims of botnets are often users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites,” the group observed in a paper that is scheduled to be presented next month in Chicago at the ACM Computer and Communications Security Conference.

“This is evidence that the malware problem is fundamentally a cultural problem,” reasoned the paper’s authors, Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna.

         “Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer,” they explained. “Therefore, in addition to novel tools and techniques to combat botnets and other forms of malware, it is necessary to better educate the Internet citizens so that the number of potential victims is reduced.”

Continue reading Researchers say malware cultural problem»

A new wave of Swine Flu themed spam is hitting the web, and it carries a nasty payload. The spam messages contain a Word document called H1N1 Flu Situation update that looks like it is from the Centers for Disease Control and Prevention and is said to contain a map showing the spread of the virus across the U.S.

Recipients who unwittingly download the document will open both a self extracting zip file and an executable called doc.exe. The executable installs several kinds of malware including a registry file that activates a Trojan every time the computer is booted.

The Trojan scans the system and steals any passwords and usernames it finds and also installs a keylogger that records every key stroke and mouse click. The stolen info is sent to a remote server for storage. The scammers presumably use the info to commit identity theft and make fraudulent financial transactions.

Attachments should always be scanned before they are downloaded or opened, and never open any .exe attachments received in an email. It’s also important to note that any emails you get from a legit government site will come from the .gov domain, and that no government agency sends any kind of unsolicited email.

Microsoft released a security advisory this week about a dangerous vulnerability in the Microsoft Video ActiveX Control (msvidctl.dll), which is used for streaming video. According to the advisory, an attacker who exploits the vulnerability could gain the same rights to an attacked PC as the local user. The code execution takes place remotely in Internet Explorer, and doesn’t require any user intervention. In other words, it’s a “drive-by” attack that injects a Trojan downloader into the victim’s PC. In the advisory, Microsoft said they would release a patch, and provide an automated tool for disabling the ActiveX control. Disabling the ActiveX control manually is a difficult process and requires re-setting several kill bits in the registry. The “FixIt” automated tool is now available here.

This dangerous exploit holds tremendous potential to cause damage on the same scale as Conficker, or perhaps even more. Conficker took advantage of a bug that had already been patched, and captured millions of PCs to create a huge botnet. The exploit is already widely published on several Chinese web sites, and could cause tremendous damage by the time the patch is created and sent through Microsoft’s regular update mechanism.

The ActiveX control can be accessed using Internet Explorer. Several security companies have reported detecting compromised sites that use the exploit.

Systems running Vista or Windows Server 2008 are not vulnerable to the attack, since the ability to pass data within IE in those systems is restricted. Users running running IE8, Firefox, or Chrome, are also not vulnerable to the attack. Users still running Windows XP, or Windows Server 2003, are vulnerable if using IE6 or IE7.