|
Archive for the ‘Crimeware’ Category
Monday, March 8th, 2010
The Bangkok Post’s article on a Malaysian man’s arrest and extradition to the U.S., charged with identity theft, a part of a prosecution begun in 2008, exposes potentially the 12th person known only by his handle “Delpiero”. The man will be extradited for theft and sale of over 40 million credit card numbers and personal information. From a 2008 article reporting the original case:
“Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname “Delpiero” were also unsealed in San Diego.”
Damages from the hack(s) were not estimated in 2008: ‘”They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves,” Attorney General Michael Mukasey said at a news conference. “And in total, they caused widespread losses by banks, retailers, and consumers. Mukasey called the total dollar amount of the alleged theft “impossible to quantify at this point”‘, but the Bangkok Post article seems to cite an estimated $150 million for the ring’s take.
Posted in Crimeware, Fbi, Government and Cybersecurity, Scams and Monetization, Security breach | 2 Comments »
Tuesday, March 2nd, 2010
Spanish law enforcement nabbed three operators of the Mariposa botnet: “Authorities identified them by their Internet handles and their ages: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25.”
The massive infection rate described in the article presents just another reason why you need our quiet ThreatFire product protecting your workstation. On a weekly basis, thousands of updated ThreatFire-protected systems were attacked and protected from variants of the bots with a feature we call “behavioral recognition”. It is far superior to AV file scanner signatures and definitively identifies the behavior of malware families like the bots that were a part of the Mariposa botnet. Problems with signature based AV scanner recognition and various Mariposa variant bots were described in a technical paper here.
If you saw a red dialog from ThreatFire warning that it is protecting your system from “Worm.Palevo” or “W32.Pilleuz”, your system was protected from becoming another one of over 12 million Mariposa victims.
Posted in Bot, Crimeware, Evasion technique, IM Worm, Malware Counts, Obfuscation, Password stealing, Uncategorized, Worm | 1 Comment »
Friday, February 26th, 2010
A recently reworded post on Microsoft’s attempt to pursue malware distribution in the courts makes it appear that something permanent and substantial has happened in anti-malware efforts (demonstrated by a legal and collaborative effort called “Operation b49″ to takedown Waledac C&C domains). Because of the complications (legal and otherwise) delaying server and domain takedowns, it’s great to see this botnet’s well-known command and control server domains pursued by the powerful legal team. On the other hand, in the meantime, users’ systems continue to be infected with Waledac. And much like the FakeAv organizations and the “John Doe” defendants that Microsoft has filed against in the courts in the past, cybercriminals herding Waledac most likely will pick up and continue to operate in the shadows beyond the reach of law enforcement — the domains and malware most likely will change to evade the takedowns pushed by their court approach. It’s a situation that has been described as “wrestling with a pig”.
In the meantime, the best way to protect yourself is with the latest install of ThreatFire. From our statistics in the ThreatFire community, we see that Waledac binaries continue to attack systems on a daily basis as a bump on the “threat landscape”. The ISC’s post title mistakenly implies that Waledac is not infecting system’s on a daily basis because the group’s “Storm-like” spam campaigns of 2009 have discontinued and because a specific list of domains have been removed, but in fact, Waledac binaries like these are attacking systems on a daily basis. For instance, over the past few days, workstations in the ThreatFire community were attacked by and protected from Waledac in the US and parts of Europe.
Anyways, the ISC handler’s post was an interesting writeup and description of past problems in takedowns (current collateral damage described here), and “Operation b49” adds another strong effort and collaboration to clean up the wild wild web. Cheers to that. Let’s hope that the Waledac bot distributors and botnet operators are worn down with the new strategy while watching their C&C servers becoming unreachable. We’ll monitor the bot’s distribution over the next few weeks and post results. Hopefully, the group is worn down for good.
Posted in Bot, Crimeware, Spam, Waledac | No Comments »
|
|
|
|
