The folks over at Softpedia have an interesting article about a new spam campaign being run by the Cutwail botnet. It’s pumping out hundreds of millions of messages claiming to be Social Security statements:

          “Due to possible calculation errors, your annual Social Security statement may contain errors. Open attached file to review your annual Social Security statement,” the rogue messages read. The attachment is an archive file called statement.zip

They come with a zipped attachment that the message claims is the actual statement, but it really contains a variant of the Zbot Trojan. It downloads keyloggers and other malware designed to steal banking log ons and other personal information as well as a rootkit that allows a hacker to control the system remotely.  Zbot is programmed with a list of popular e-commerce and banking sites such as eBay, Paypal, Bank of America and and Amazon and when one of them is visited, the keylogger activates, records the log in info and sends it back to its command and control server.

Zbot has been around for three years and in the last 6 months infections have skyrocketed. The U.S. has been most affected, claiming 75% of all Zbot infections globally. The UK is second.

For the record the Social Security Administration only sends out statements via postal mail. They usually go out once a year about 6 months before your birthday. It’s not surprising that they are trying to use the SSA in their campaign as previous campaigns have exploited the IRS and other agencies.

          “We expect this new version of Zeus to significantly increase fraud losses, since nearly 30 percent of internet users bank online with Firefox and the infection rate for this piece of malware is growing faster than we have ever seen before,” Amit Klein, CTO of Trusteer and head of the company’s research organization, said in a statement.

Zeus has been around since 2006 and is responsible for millions of dollars worth of bank fraud. It distributes itself via its massive botnet, which uses over 3 million zombies to pump out billions of malicious spam messages. Once it infects a system it drops a keylogger which activates when any site on the Trojan’s programmed list is visited. Sites on the list include most major banking and credit card sites, Ebay, Amazon, Paypal, Facebook, and MySpace. Login credentials and other personal info is recorded and sent back to the bot’s command servers. Zeus uses the stolen credentials from social networking sites to pump out it’s spam there as well.

Mozilla denies there are any security issues with their browser, claiming that Zeus affects all programs on the systems it infects.

A new type of malware distributes itself by silently overwriting the update function for popular applications like Flash and Adobe Acrobat. While malware masquerading as software updates is very common, this is the first time it’s been seen overwriting the auto update functions of legitimate software. Written in Visual Basic and called W32.Fakeupver.trojan, it looks exactly like a legit updater right down to the version number and updater-in fact it’s so convincing that even anti-virus software is fooled.

Once installed it opens DHCP and DNS clients along with a network share and port in order to communicate with its command server and presumably adds the system to a botnet.

What makes the malware particularly dangerous is that once the malware is detected and removed, it leaves the legitimate app it infected without its auto update feature, and that could leave it vulnerable to future attacks if it’s left unable to download critical updates. The user would have to completely re-download and reinstall the affected software, and likely wouldn’t know they had to.

Since many software apps like Adobe, Java, Flash, and Windows itself receive near constant updates and patches, having the update function removed could be disastrous. Scammers have exploited Flash, and Java many times and malicious PDFs are a popular distribution method. 56% of all malware currently comes from malicious PDFs. Experts recommend disabling Javascript when visiting unfamiliar websites to help protect yourself, but an even better idea is to avoid visiting unfamiliar websites all together. It’s also a good idea to manually check your apps on a regular basis to make sure they’re properly updated.

A new report by security researchers claims that Google’s reCAPTCHA system is flawed – so flawed that it would allow a botnet with just 10,000 zombies to manage 10 recognition successes an hour resulting in over 850,000 fake accounts being registered each day. The researchers say the flaw is the same one that has plagued all CAPTCHA services -the human factor- but with a twist.

The Koobface botnet is distributing a new variant of its Trojan that forces the user of the computer it infects to solve a CAPTCHA. The user is presented with a Windows pop up directing them to solve the CAPTCHA provided or their system will be shut down. The solved CAPTCHA is then sent to the botnets C&C channel and used to create a fake Blogspot blog which is populated with content from Google News. Koobface uses SEO techniques to insure these blogs are packed with hot topics and sure to appear at the top of search engines. The links in these fake blogs redirect to a fake Facebook page where the user is directed to download a “flash player update” which is really the Koobface Trojan. The same technique is used to create fake Gmail and Facebook accounts which are also used to distribute the malware. Once Koobface infects a system it steals credit card numbers and other personal information.

The underground economy of human driven CAPTCHA solving is booming as well, further weakening the effectiveness of CAPTCHA systems. Services offering bulk orders of solved CAPTCHAs for Web 2.0 and social media services are exploding and prices are lower than ever. One service offers 1 million solved CAPTCHAs for $800. However, with Koobface taking CAPTCHA solving into its own hands, other malware distributors may follow suit, leading to the CAPTCHA solving industry’s demise.

Google denies that their reCAPTCHA is flawed, claiming the data used in the report is outdated.

           “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” said a Google spokesman. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Amazon’s EC2 service is the latest cloud-based service being exploited by the Zeus Trojan. Security researchers have discovered the Trojan is using EC2 as one of its command and control centers. PCs that have been infected with the malware and turned into zombies report to the service for updates, instructions and possibly even more malware.

         “We believe this was a legitimate service that was purchased and compromised via a vulnerability” such as a weak password, Don DeBolt, CA’s director of threat research, told The Reg. “It could have been any vulnerable system on the internet.”

Other services that Zeus has been using as C & C centers include Twitter, Facebook, and Google Apps. Such sites are attractive to botnet herders because they are cheap, easily available and simply don’t set off any alarms or notifications when the zombies connect to them. Another thing that makes them attractive is that unlike obscure Chinese or Russian domains, blacklisting such popular services simply isn’t likely to ever happen. In effect they are using these services as camouflage.

Amazon shut down the infected EC2 channel after being notified, but it likely won’t keep Zeus down for long. Cybercriminals have invaded the Cloud and are here to stay.

A new wave of malicious spam makes promises of a free MacBook Air but delivers malware instead. The spam messages were only recently detected and arrived with the subject line “Congratulations!” The body of the message reads “Congratulations! You have won todays Macbook Air. Please open attached file and see details.”

The file is an .exe file that installs malware on to the system. The malware has been identified as TROJ_AGENT.AWYQ.  Once installed it drops TROJ_CUTWAIL.GO, which adds the infected computer to the Cutwail/Pusdo botnet. A spam module is downloaded along with one or more “Campaign modules” which contain third party malware from a number of different sources. It’s also programmed to connect to web based email providers it detects the the infected computer has logged into like Hotmail, Yahoo! and GMail and send out copies of itself.

Cutwail/Pushdo is one of the largest botnets in the world, sending out millions of spam messages a day.

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.

Gumblar uses SQL injection to infect Web servers.

Malware watchers are reporting that Gumblar botnet is working its mischief once again, this time on a larger scale than ever. The malicious software first attracted the notice of White Hats this spring when it used SQL injection attacks to infect legitimate websites–sites such as Tennis.com, Variety, and Coldwellbanker.com–and spread itself to the personal computers of visitors to those netposts. SQL injection attacks are performed on the database layer of an application. They take advantage of vulnerabilities in the layer that can be exploited by input that produces unintended consequences, such as forgetting to authenticate a user’s identity.

After making its initial splash, its activity abated only to experience a revival at the end of the summer. Now it’s running wild again, according to security researchers, infecting hundreds of trusted sites and through them, thousands of PCs.

In its birth form, the badapp poisoned a site’s back end server or used an iFrame or other ploy to redirect a visitor to black server for a proper fleecing and contamination. The use of iFrames has become a popular ruse of cyberbandits. Once injected into a trusted site, it redirects a browser to another iFrame that executes clandestine javascript code on an unsuspecting keyboard jock’s computer. The code then connects to Net places where more code is secretly executed to exploit vulnerabilities in a target system. Crackers leverage those vulnerabilities to gain control of a user’s computer and filch usernames, passwords and other information from the system. It also looks for FTP credentials so it can infect more servers.

Continue reading Gumblar has new face on ugly head»

A recently discovered Trojan has a sneaky and disturbing new trick up its sleeve. It can alter a victim’s online bank statement. Dubbed URLZone, the Trojan is able to alter HTML coding before it’s displayed. This lets it rewrite bank statements to hide the fraudulent activity underway. This buys the scammers more time to clean out the account.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” says Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan. “It’s a very sophisticated technique. They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there. If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

The money is then sent to money mules who were tricked into doing the scammer’s dirty work. Most fell for the fake job posting spam advertising a lucrative work at home position and have no idea they are being scammed too.

URLZone is controlled by a server in the Ukraine. While officials there announced they had suspended its domain, count on it to simply find a new home. As we saw after the McColo shutdown last year it doesn’t take long at all for hackers and scammers to set up shop somewhere else. Finjan says the URLZone operation could easily make over $7 million a year.

The Zeus Trojan is a favorite of muleskinners.

Money muling, until recently, has been used by information highwaymen to prey on unwitting consumers. Muleskinners had modest goals. Their scams ranged from $200 to $2000. Their targets were consumers with more greed than sense. Recent muling patterns, however, indicate that these fraudsters are expanding their ambitions and hatching cons to snatch larger amounts from small businesses.

• In May, a Texas company was clipped of $1.2 million with the help of some 40 “mules.”
• In July, muleskinners in the Ukraine skimmed $415,000 from accounts for Bullit County, Ky. The county realized something was askew when it found unauthorized wire transfers of $10,000 or less from its payroll coffers were being made to accounts of at least 25 people across the country. In the United States, money transfers must exceed $10,000 before they are subject to special reporting requirements under the Bank Secrecy Act of 1970.
• In September, Downeast Energy & Building Supply, a heating and hardware firm in Brunswick, Maine, saw $200,000 disappear from its online bank account, siphoned into the accounts of at least 20 individuals nationwide.
• This month, the Pease Development Authority, the agency that manages ports in the Portsmouth, N.H. area discovered about $100,000 in transfers instigated by muleskinners.
• Also this month, thieves attempted to transfer $87,000 from the accounts of the St. Isadore Catholic Church in Danville, Calif. to about a half dozen mules, but were thwarted when the church’s bank blocked the transfer.

A  key component of these scams are money mules. They are individuals recruited through blind employment ads posted on the Internet or through spam mailings. On some occasions, mules have been initially recruited as copy editors and proofreaders hired at minimum wage to clean up spam letters used to recruit more mules. When pressed for payment for the editing work, a muleskiner will attempt to recruit the editor as a “local agent” for transferring money.

Continue reading Money mulers expanding horizons»