|
Archive for the ‘Crimeware’ Category
Wednesday, October 28th, 2009
Unfortunately, a lot of people didn’t realize that the email and attachment we posted yesterday was not really from “The Facebook Team”. ThreatFire users were protected from the Bredolab downloader and its Zbot payload, and it’s a good thing too. Here is some information on who fell for it by country:
The bulk of the protected systems were in the U.S., where the number of Facebook users are higher than anywhere else. Below is a non-exhaustive list of banks that the group has targeted with Zbot payloads from the ip address that the Bredolab downloaders pulled from. Surprisingly, the cybercrime group decided to mess with U.S. military members at usaa.com:
https://businessonline.huntington .com
https://business-eb.ibanking-services .com
https://securentrycorp.nbarizona .com
https://treas-mgt.frostbank .com
https://www8.comerica .com
https://cashmgt.firsttennessee .biz
https://www.usaa .com
https://*netspend .com
https://www.mybank.alliance-leicester.co .uk
Posted in Bredolab, Crimeware, Social Engineering, ZBot | No Comments »
Friday, October 9th, 2009
Cybercriminals are implementing techniques in their banking password stealers to further cover their tracks. Not that they were having an extremely difficult time with this already, as pointed out by Guillaume Lovet’s Virus Bulletin paper on fighting cybercrime. But the technical and forensic challenges are now stepped up another level. We have been tracking the growth of the Urlzone/Bebloh family since February of this year, and other groups have been finding accelerated sophistication in the fraudulent activity.
The first, larger waves we saw in February targeted German users, protected within the ThreatFire community from the menace. As more european banks and countries were hit, we continued to monitor for more of a global presence, as the malware package becomes even more popular among multinational banking cyberthieves. Distribution servers have been appearing on American providers’ networks, the next logical step is to find American banks targeted as well. We will be monitoring the situation closely.
The stealer is being spread by attacking the usual client side vulnerabilities in browsers and third party plugins.
Posted in Bancos, Crimeware, Spyware, cybercrime | No Comments »
Thursday, August 27th, 2009
It seemed strange when the steady stream of changing, but similar, Mebroot (also known as Sinowal) executables dried up in late July. But alas, the mbr infecting family seems to have simply run out of flour and wheat for their “pasta theory” code, as described by Elia Florio and Kimmo Kasslin.
The spaghetti code typical of the Mebroot family for so long seems to have been straightened out. Known for downloading banking and financial service password stealers, it also developed a reputation for oodles of obfuscation in its executables. Now, instead of the neverending jmps, rets and scrambled code flow, the family seems to be released without the pasta and with a series of bogus calls — some DeviceIoControl with a stack full of NULL parameters, some bogus filenames passed to CreateFile, etc. Otherwise, the components observed in the lab match up with past Mebroot components, so we are digging deeper into the chances that we really are witnessing a new generation of the malware.
At the time we started digging into the dropper, googling “dedkeopght.com”, the site from which the malcrafted pdf file fetched this Mbr injecting payload, turned up no results whatsoever. Neither did scanning the payload file (the dropper) with a variety of AV file scanners. However, ThreatFire users are safe, and TF continues to prevent its injections and Mbr infection techniques.
Be sure to regularly update your software and add a behavioral solution to your system.
Posted in Crimeware, Downloader, Password stealing, Software Release, Undetected malware | No Comments »
|
|
|
|
