October 16, 2019

Banking Trojan tries to hide from security researchers

Shylock from Shakespeare’s Merchant of Venice. Engraving by G. Greatbach after a painting by John Gilbert.

(LiveHacking.Com) –  In the never-ending cat and mouse chase between malware writers and security researchers a twist has been observed by the security company Trusteer. Recent analysis of a piece of banking and financial malware called Shylock has shown that the authors are trying to add methods which stops the malware from being analyzed. Malware researchers often use virtual machines or remote computers in an operations center or “lab” to perform research on malware. To connect to the machines in the lab, researchers use remote desktop connections. Knowing this, Shylock has been altered to identify and avoid remote desktop environments.

“Like most malware strains, Shylock continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises,” Gal Frishman wrote in a blog post. According to Gal, Shylock tries to detect a remote desktop environment by feeding invalid data into a certain Windows function call and then observes the error code returned. It uses this return code to spot remote desktops. If it recognizes a remote desktop sessions it won’t install. It is also possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

“This is good, general purpose financial malware that we see along with Zeus, SpyEye and a host of other malware families that target these institutions,” George Tubin told SC Magazine. “We do see malware doing more things to avoid so-called virtual environments. For instance, sometimes malware has a sleep function, so once it gets in, it won’t start for a time. We see an increasing trend in malware being able to evade virtual environments.”

To find out if it is running in a remote desktop environment Shylock makes a call to the SCardForgetReaderGroup() function in Windows. This innocent function is designed to remove a previously introduced smart card reader group from the smart card subsystem. However it turns out that if the function is called on a normal desktop machine the return values are different to the cases when it is called on a PC using a remote connection. Based on the return code Shylock decides to install or not.

Chevron was a victim of Stuxnet

(LiveHacking.Com) – Chevron, the US headquartered international oil and gas company, has admitted that Stuxnet infected its IT network. Speaking to the Wall Street Journal, Mark Koelmel, general manager of the company’s earth sciences department said that the notorious malware was found on its networks in 2010.

Stuxnet is known for destroying centrifuges used in Iran’s uranium enrichment program. It is thought it was designed by a nation state with the intention of targeting Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes inside the enrichment facilities.

Chevron was not damaged by its encounter with Stuxnet and it appears that it got onto its network by accident. But this is the first time that a U.S. company has admitted that the malware got onto its systems. There are probably many more Stuxnet infections in the U.S. and mainland Europe that went unreported for reasons of security or to avoid embarrassment.

Stuxnet specifically targets industrial equipment that is controlled by devices known as programmable logic controllers, or PLCs. These devices have been sold and used in their millions all over the world and potentially the Stuxnet malware would have destroy other equipment across the global. Just like a real world virus, once it is out there, it can’t be controlled.

“I don’t think the U.S. government even realized how far it had spread,” Koelmel said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

The U.S. has almost admitted that it wrote Stuxnet, which makes the U.S. a probable target for any retaliatory cyber attacks. It now seems that the lid is off “Pandora’s box” and worse still the very weapons used to attack others have come back to haunt their creators.

Ultimately private enterprise will have to clean up in the aftermath of Stuxnet without any help from the government. “We’re finding it in our systems and so are other companies,” said Koelmel. “So now we have to deal with this.”

2.2 million homes were infected with the ZeroAccess botnet during Q3

(LiveHacking.Com) – According to a new report, 2.2 million home networks worldwide were infected with the ZeroAccess botnet during Q3 of 2012. The Kindsight Security Labs Q3 2012 Malware Report says that ZeroAccess was the most active botnet in Q3. It is estimated that 685,000 households in the United States were infected.

It seems that this malware is now also significantly affecting online advert revenue. ZeroAccess is an ad-click botnet where the bots engage in a sophisticated  ad-click fraud scheme that could be costing advertisers almost a million dollars each day.

ZeroAccess and its morphed successor ZeroAccess2 use an encrypted P2P protocol to communicate with other peers. The botnet maintains communication through super-nodes, which is an infected PC that is directly connected to the internet without an intervening home router or other network address translation (NAT) device.

To earn money, the bot operators have a large number of web sites that host pay-per-click adverts. The bots are programmed to click on ads that are hosted by these sites earning money for the operator and costing the advertiser money. The list of websites to use is dynamic, as is the visit frequency. To prevent ad-click fraud detection the follow the ad-click through to the advertiser’s landing page through several layers of redirection, loading all the html, java-script and graphics components as would a regular browser.

The botnets also earn money through ‘Bitcoin mining’, a technique which creates false Bitcoin transactions. It is thought that about half of the ZeroAccess bots are working as Bitcoin miners. Bitcoins are said to be worth about $10 each and Sophos has estimated that ZeroAccess could be earning over $2.7M per year, however it is not clear if real money is actually involved,  or if they are just used for playing Bitcoin games.

“The ZeroAccess botnet has grown significantly to become the most active botnet we’ve measured this year,” said Kevin McNamee, security architect and director, Kindsight Security Labs. “Cybercriminals are primarily using it to take over victim computers and conduct ad-click fraud. With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud.”


DHL Express being used as bait for malware attack

(LiveHacking.Com) – A wave of malware laden email messages claiming to be from DHL Express is being tracked by Sophos. The email messages, which claims to have information about items being shipped to your address by DHL, have a .zip file attached which contains a variant of the Bredo trojan horse malware.

Unsuspecting users who download and unzip the attachment will most likely infect their PCs with this trojan. Once installed it will copy itself to the Windows system folder and modify the registry to load automatically the next time you start your PC. Then it will contact a command and control server to download more malware including possible adware, keyloggers and fake anti-virus ransomware.

Of course, such malicious emails claiming to come from companies likes DHL, FedEx and UPS are not new, but the fact that cyber criminals are sending fresh waves of these emails means that sadly they are working.


  • Install a good anti-virus solution
  • Don’t download and/or execute attachments on emails from untrusted sources.
  • Don’t fall be deceived by unsolicited emails.

Microsoft reaches settlement with domain operator linked to the Nitol botnet

(LiveHacking.Com) – Microsoft has reached a legal settlement with the hosting company which operated 3322.org, a domain linked to the Nitol botnet. The deal, which was reached with Peng Yong and his company Changzhou Bei Te Kang Mu Software Technology, is the result of an investigation Microsoft conducted into counterfeit Windows PCs made in China.

Microsoft  discovered that consumers in China were buying cheap counterfeit Windows based PCs which came with malware pre-installed. The malware, known as Nitol, was used to run distributed denial of service (DDoS) attacks as well as create backdoors onto the PCs. The domain 3322.org was part of the infrastructure supporting the botnot. Subsequently Microsoft started legal action to take control of the 70,000 malicious subdomains hosted on 3322.org.

The investigation revealed that the malware was not being pre-installed on computers in the factory but rather the cybercriminals had disreputable distributors or resellers load the malware-infected counterfeit software onto the computers before the final delivery to the customer.

Now, Peng Yong has agreed to work with Microsoft and and the Chinese Computer Emergency Response Team (CN-CERT) authorities to stop any further misuse of servers in his company. Any future black-listed domains will be moved into a sinkhole that has been established by CN-CERT. Also Yong is required to fix the systems of anyone affected by the botnet. Microsoft has already started to contact the Nitol victims with the help of the Shadow Server Foundation.

Since taking control of 3322.org, just over two weeks ago, Microsoft has been able to block more than 609 million connections from over 7,650,000 unique IP addresses.

“Fighting botnets will always be a complex and difficult endeavor as cybercriminals find new and creative ways to infect peoples’ computers with malware, whether for financial gain or other nefarious purposes. However, those working to combat cybercrime continue to make progress, and Microsoft remains committed to protecting its customers and services and to making it difficult for cybercriminals to take advantage of innocent people for their dirty work,” wrote assistant general counsel for Microsoft Digital Crimes Unit Richard Domingues Boscovich.

In brief: Google Go language used to write malware

(LiveHacking.Com) – Google Go, a compiled, concurrent programming language developed by Google, has been used for the first time to write malware. The language, which was initially released in 2009 and has been growing in popularity ever since, is a viable alternative to C or C++ and is good for writing low level and sever type software. This has now been proved in a way that maybe Google didn’t want. According to Symantec a malware has been found in the wild with components which are written in Go. The Trojan, known as Trojan.Encriyoko, attempts to encrypt various file formats on a compromised computer and so render them unusable.

The original sample Symantec acquired was called GalaxyNxRoot.exe, a dropper written in .NET which disguises itself as a rooting tool to trick users into installing it. When run GalaxyNxRoot.exe drops and launches two executable files, both written in Go: PPSAP.exe and adbtool.exe. The first is an information-stealing Trojan that collects system information such as current running processes, user name, MAC address, etc., and sends it to a server on the Internet. The second file downloads an encrypted file from a different remote location. This downloaded file is decryped and executed in a attempt to encrypt various files on the infected computer.

BlackHole exploit kit 2.0 released and its all about the money

(LiveHacking.Com) – A new version of the popular Black Hole exploit kit has been released. According to an entry on Pastebin, V2.0 has been rewritten from scratch to make it harder for anti-virus programs to detect it. Black Hole is one of the most popular exploit kits used onlne and accounts for just under 40 percent of all toolkits detected by AVG. The key element in the announcement is not so much the new features (which I will look at below) but the fact that the “advert” contains a list of the prices for server rentals and mentions that the prices have remained the same. Don’t ever loose sight of the fact that malware writing is all about the money.

So what are the prices, how much does it cost to be a cyber criminal nowadays? To rent a command and control server from the BlackHole creators cost just $50 per day with a limit of 50,000 hits. If you want to use your own server then you need to by a license (ironic, no!),  and that costs $700 for 3 months or $1500 for a year.

Among the new features is the use of a CAPTCHA on the administration panel login page to prevent security companies performing brute force attacks against the servers. Plus the kit adds new dynamically generated URLs, which are valid for a few seconds. These kind of “enchancements” aren’t to do with how BlackHole actual explots vulneravilitries on victim’s PCs, but rather they are designed purley to make life harder for security researchers and securty companies. In fact, the announcement says that the team have “developed and implemented a lot more features about which bragging and shouting in public is simply not reasonable, because competition and the AV companies do not nap.”

Google buys VirusTotal to boost its online protection services

(LiveHacking.Com) – VirusTotal, a free online service that analyzes files and URLs for malware, has been bought by Google. The purchase is seen by many as a way for Google to boost the protection it offers for its online services like Gmail and Google+. Since VirusTotal will continue to operate independently, the company plans to maintain its  partnerships with other antivirus companies and security experts.

VirusTotal works by aggregating warnings on user submitted files and URLs from all the major antivirus solutions, including Intel Corp’s McAfee and Symantec Corp. Once  a file or URL is received, VirusTotal performs the malware checks and then distributing the results to security vendors. Since those returned results include the original document and website in question, the service is sen as a valuable resource that allows the security industry to spot emerging threats.

“VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them,” said the company on its blog.

Terms of the deal were not disclosed.

McAfree has detected 1.5 million new malware samples in the last three months

(LiveHacking.Com) – The amount of malware software (including viruses and trojans) has seen its single biggest increase in that last four years according to the new  McAfee Threats Report: Second Quarter 2012.  McAfee Labs says it has detected a 1.5 million increase in malware in the last three months and has seen malware writers becoming more sophisticated with the appearance of new threats such as mobile drive-by downloads, the use of Twitter to control of mobile botnets, and the appearance of mobile ‘ransomware’.

This means that there are 100,000 new bits of malware discovered every day and McAfee predicts that at this rate it will almost certainly see 100 million samples by next quarter and possibly the first 10-million-sample quarter.

“Over the last quarter we have seen prime examples of malware that impacted consumers, businesses, and critical infrastructure facilities,” said Vincent Weafer, senior vice president of McAfee Labs. “Attacks that we’ve traditionally seen on PCs are now making their way to other devices. For example, in Q2 we saw Flashback, which targeted Macintosh devices and techniques such as ransomware and drive-by downloads targeting mobile. This report highlights the need for protection on all devices that may be used to access the Internet.”

Android continue to be a popular target for malware writers. Virtually all new mobile malware detected in the last three months was written for Android. Mobile malware is growing in its sophistication and the full gamut of malware types now exists including SMS-sending malware, mobile botnets, spyware and destructive Trojans.

Other types of popular malware, this time aimed at the PC, include Fake Anti Virus (bogus security software), AutoRun, and password-stealing Trojans. The number of Fake AV malware grew slightly but the overall trend is still down. However AutoRun and password-stealing malware showed significant growth this quarter.

There were nearly 1.2 million new AutoRun samples the quarter and nearly 1.6 million new Password-stealing malware samples. AutoRun worms spread via USB flash drives by executing code embedded in AutoRun files, while Password-stealing malware is designed to collect account names and passwords, so an attacker carry out identity fraud.

You learn more about the rise in malware in the full copy of the McAfee Threats Report: Second Quarter 2012

Ransomware claims FBI know that victim’s computer associated with crime and told to pay fine

(LiveHacking.Com) – The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has published a warning about various ransom campaigns which are impersonating multiple U.S. Government agencies. The malware, which impersonates the United States Cyber Command (USCYBERCOM) and the Federal Bureau of Investigation (FBI), displays an alert telling the victim that a Federal Government agency has associated the user’s computer with one or more online crimes. To regain use of the computer the victim must pay a fine, often through a prepaid money card service.

The US-CERT warning comes after the discovery earlier this month of a piece of ransonware known as Reveton. The drive-by Trojan, which infects a victim’s PC when they visit a compromised website, locks the user’s computer, displays a bogus message and demands payment of fines. The bogus message says that the user’s Internet address was identified by the FBI or the Department of Justice’s Computer Crime and Intellectual Property Section as having been associated illegal online activity. To unlock their machines, users are required to pay a fine using a prepaid money card service. The FBI has confirmed that the malware has already successfully stolen money from a number of innocent victims.

Needless to say, government agencies don’t send out official notifications as unsolicited emails or web popup alerts and are required by law to be delivered directly to the individual. Also, government agencies don’t ask for fines to be paid via money card services.

According to the US-CERT warning, vicitm’s can also choose to file a complaint with the FBI’s Internet Crime Complaint Center (IC3).