July 27, 2014

GameOver Zeus botnet disrupted by FBI, Microsoft and multi-national agencies

GameOver_Zeus_Scope(LiveHacking.Com) – A multi-national team of security experts and law enforcement agencies including the U.S. Department of Justice, the FBI, Europol, and the UK’s National Cyber Crime Unit have successfully disrupted  the GameOver Zeus botnet. The malware, which is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing trojan, is thought to be responsible for the theft of millions of dollars from businesses and consumers all around the world.

Also known as P2P Zeus or GO Zeus, the malware uses a decentralized network system of compromised PCs and web servers to execute command-and-control. Its peer-to-peer nature meant that command instructions could come from any of the infected computers, and made the take down of the botnet more difficult.

The FBI took down portions of the command-and-control infrastructure by seizing domain names used by the malware. Microsoft helped the FBI by providing an analysis of the P2P network and by developing a cleaning solution. According to Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.”

GameOver Zeus is primarily used by cybercriminals to harvest banking information including login credentials. Once a PC is infected it can be used by the cybercriminals to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The malware has also been linked to the CryptoLocker ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files.

Andy Archibald, a Deputy Director at the UK’s National Crime Agency (NCA), said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.” Mr Archibald continues: “Those committing cybercrime impacting the UK are often highly-skilled and operating from abroad. The NCA and its partners are alive to the threat, and pursuing new and collaborative ways to tackle and disrupt the perpetrators.”

At the same time as the botnet was being disrupted  a federal grand jury in Pittsburgh unsealed a 14-count indictment against the GameOver Zeus ringleader. Evgeniy Mikhailovich Bogachev, of Anapa, Russian Federation, is charged with with conspiracy, computer hacking, wire fraud,  bank fraud and money laundering. In a separate civil injunction, Bogachev was identified as the ringleader of the gang responsible for the development and operation of the Cryptolocker scheme.

Tor users exposed due to vulnerability in Firefox 17

Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

Ransomware claims FBI know that victim’s computer associated with crime and told to pay fine

(LiveHacking.Com) – The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has published a warning about various ransom campaigns which are impersonating multiple U.S. Government agencies. The malware, which impersonates the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI), displays an alert telling the victim that a Federal Government agency has associated the user’s computer with one or more online crimes. To regain use of the computer the victim must pay a fine, often through a prepaid money card service.

The US-CERT warning comes after the discovery earlier this month of a piece of ransonware known as Reveton. The drive-by Trojan, which infects a victim’s PC when they visit a compromised website, locks the user’s computer, displays a bogus message and demands payment of fines. The bogus message says that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service. The FBI has confirmed that the malware has already successfully stolen money from a number of innocent victims.

Needless to say, government agencies don’t send out official notifications as unsolicited emails or web popup alerts and are required by law to be delivered directly to the individual. Also, government agencies don’t ask for fines to be paid via money card services.

According to the US-CERT warning, vicitm’s can also choose to file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

More Hacking By LulzSec While Sony Hacked Again, This Time By Idahc

It now seems as if hacking is now reaching epidemic proportions and as more and more of our lives are being moved onto “the cloud” (voluntarily and involuntarily) it looks like security breaches and loss of data is becoming the norm rather than the exception.

Over the weekend LulzSec claimed that it hacked the web site of the Atlanta Chapter of InfraGard and released a download of the user login details along with the decrypted passwords. InfraGard is a partnership of businesses, the FBI, educational entities and the National Infrastructure Protection Center designed to protect IT systems from hacker attacks. Such sites are, of course, prime targets for hackers.

LulzSec claim they attacked the web site because NATO now treats hacking as an act of war.

Once they had the list of user names and passwords, LulzSec continued their illegal activities and found that Karim Hijazi, CEO of Unveillance, used the same password for his personal gmail, and the gmail of this company. LulzSec contact contacted Karim where they claim he offered to pay them to eliminate his competitors through illegal hacking. Karmin released an official statement where he shows proof that in fact LulzSec tried to extort him and his company.

While all this was going on, a Lebanese grey hat hacker – who goes by the moniker Idahc, posted the details of 120 accounts which he claimed came from the apps.pro.sony.eu Sony web site. The web site is currently “down for maintenance.”