|
Archive for the ‘Spyware’ Category
Friday, October 9th, 2009
Cybercriminals are implementing techniques in their banking password stealers to further cover their tracks. Not that they were having an extremely difficult time with this already, as pointed out by Guillaume Lovet’s Virus Bulletin paper on fighting cybercrime. But the technical and forensic challenges are now stepped up another level. We have been tracking the growth of the Urlzone/Bebloh family since February of this year, and other groups have been finding accelerated sophistication in the fraudulent activity.
The first, larger waves we saw in February targeted German users, protected within the ThreatFire community from the menace. As more european banks and countries were hit, we continued to monitor for more of a global presence, as the malware package becomes even more popular among multinational banking cyberthieves. Distribution servers have been appearing on American providers’ networks, the next logical step is to find American banks targeted as well. We will be monitoring the situation closely.
The stealer is being spread by attacking the usual client side vulnerabilities in browsers and third party plugins.
Posted in Bancos, Crimeware, Spyware, cybercrime | No Comments »
Wednesday, May 20th, 2009
A couple of anti-malware firms have grumbled about the number of successful web site compromises a group has been making in order to inject malicious web pages on these victimized sites and refer to the threat as “Gumblar“, reportedly using stolen ftp credentials and possibly other configuration issues and vulnerabilities. These hijacked web sites in turn attack visiting users’ web browsers with the goal of downloading and executing more malware hosted on a remote server. Originally the exploit/trojan/spyware hosting site was gumblar.cn, it was changed to martuz.cn, and the domain most likely will change again.
The large numbers in the news refer not to the trojan, or the malware that was hosted on gumblar and martuz. The large numbers are detections of web pages that, however accurate the volume reporting may be, most likely are a part of hijacked web sites redirecting browsers to the exploits and trojans on the gumblar.cn and trojans on the martuz.cn domains.
When a user doesn’t patch their system for whatever reason, they may be maintaining known vulnerabilities in their software, which in turn is exploited when visiting a hijacked web presence. Following successful third party plugin exploitation, the delivered dropper is executed. The dropper uses an interesting technique to register loaded components for auto start on an unsuspecting user’s system. Instead of the usual run key and service locations, this writer decided to abuse a user-mode auxiliary audio driver location that is loaded when Internet Explorer is started. This ThreatExpert report and here shows a “Infostealer.Daonol/Trojan-Dropper.Win32.Agent.apfn/Troj/Daonol-Fam” trojan abusing the “Drivers32″ key, much like the original gumblar variant:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
aux = “%Temp%\..\doo.val”
The group is not using any 0day attacks. Instead, they are sending down malformed .pdf and .swf files. It seems that enough reminders cannot be sent out about updating third party software:
Antivirus 360 Distribution – Update Third Party Plugins
PDF Reader Exploitation 2009
Pdf Reader Exploitation 2009 (cont)
Rigged pdf files
browser-security.microsoft.com Hosts File Modification
We will post more data as it is gathered, the trojan itself is not in high prevalence in the ThreatFire community — the attack has gotten far enough to launch the trojan on only a couple of systems and is prevented as “Spyware.Grumbler”.
In the meantime, be sure to update your favorite third party plugins, applications and your system software.
Posted in Exploit, Spyware, Vulnerability | No Comments »
Wednesday, May 6th, 2009
A handful of academic researchers recently completed another thorough and fascinating report about Torpig: “Taking over the Torpig Botnet“. Torpig is an especially evil little piece of Crimeware. Over the past couple of years, ThreatFire has been preventing fairly high numbers of Torpig/Sinowal/Anserin infections all over the world, keeping this bank account and credit card number snorting nastiness penned up.
One of the more interesting updates from the report about new versions of the bot is its use of Twitter trend data in generating url data in its fast flux domain algorithm: “A recent update to this algorithm is particularly interesting. Similarly to the previous version, the new algorithm uses the current date to generate the drive-by-download domain. However, the new algorithm also relies on search trends from Twitter to generate one additional seed byte. More precisely, the algorithm fetches the URL http://search.twitter.com/trends/weekly.json?callback=c&exclude=hashtags. This URL returns a JSON object that contains trends for searches on twitter, organized by date. The algorithm gets the trend data for the day before yesterday (4/25 in our case) and extracts the second letter from the first data item (for 4/25, it was “TGIF”, so it gets ‘G’). This letter is then used to calculate a “magic number”, which is used to compute the domain name as shown in the screenshots below.”
This morning, ThreatFire made bacon of another attempted Torpig infection, also detected as Trojan.Anserin, Troj/Torpig-Gen, and Trojan-Spy.Win32.Small.dg. That’s one less infection that will not be added to the 180,000 infections that the researchers observed in a 10 day period, because TF prevented its associated BoF exploit targeting none other than Adobe Acrobat v8.0. One of the first things that the delivered spyware performs is to infect the system’s Mbr, and ThreatFire prevents its raw disk write to \Device\Harddisk0\DR0.
ThreatFire prevents multiple behaviors of this guy on a daily basis.
The site itself, defaptgvif.com, continues to serve up exploits. Do not visit the site.
Posted in Bot, Crimeware, Password stealing, Spyware | No Comments »
|
|
|
|
