June 14, 2021

GameOver Zeus botnet disrupted by FBI, Microsoft and multi-national agencies

GameOver_Zeus_Scope(LiveHacking.Com) – A multi-national team of security experts and law enforcement agencies including the U.S. Department of Justice, the FBI, Europol, and the UK’s National Cyber Crime Unit have successfully disrupted  the GameOver Zeus botnet. The malware, which is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing trojan, is thought to be responsible for the theft of millions of dollars from businesses and consumers all around the world.

Also known as P2P Zeus or GO Zeus, the malware uses a decentralized network system of compromised PCs and web servers to execute command-and-control. Its peer-to-peer nature meant that command instructions could come from any of the infected computers, and made the take down of the botnet more difficult.

The FBI took down portions of the command-and-control infrastructure by seizing domain names used by the malware. Microsoft helped the FBI by providing an analysis of the P2P network and by developing a cleaning solution. According to Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.”

GameOver Zeus is primarily used by cybercriminals to harvest banking information including login credentials. Once a PC is infected it can be used by the cybercriminals to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The malware has also been linked to the CryptoLocker ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files.

Andy Archibald, a Deputy Director at the UK’s National Crime Agency (NCA), said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.” Mr Archibald continues: “Those committing cybercrime impacting the UK are often highly-skilled and operating from abroad. The NCA and its partners are alive to the threat, and pursuing new and collaborative ways to tackle and disrupt the perpetrators.”

At the same time as the botnet was being disrupted  a federal grand jury in Pittsburgh unsealed a 14-count indictment against the GameOver Zeus ringleader. Evgeniy Mikhailovich Bogachev, of Anapa, Russian Federation, is charged with with conspiracy, computer hacking, wire fraud,  bank fraud and money laundering. In a separate civil injunction, Bogachev was identified as the ringleader of the gang responsible for the development and operation of the Cryptolocker scheme.

36 million euros stolen from banking customers across Europe using mobile malware

(LiveHacking.Com) –  A sophisticated and complex attack has been used to systemically steal millions from banking customers, both corporate and private, across Europe. By using a combination of malware for the PC and malware for mobile, the attackers have been able to  intercept SMS messages used by banks as part of their two-factor authentication process. First the attackers would infect the victim’s PC and then  infected their mobile. Once the two-factor authentication was bypassed, the criminals used the corresponding transaction authentication number (TAN), to automatically transfers of funds from the victims’ accounts. The sums varied in size from €500 to €250,000.

According to Check Point, the firewall maker, an estimated €36+ million has been stolen from more than 30,000 corporate and private bank accounts. This attack campaign has been named “Eurograbber” by Versafe and Check Point Software Technologies who have released a case study about the criminals activities. By using a variation of the Zeus-In-The-Mobile Trojan the  victim’s online banking sessions were completely monitored and manipulated by the attackers. The mobile part of the attack used malware developed for both the Blackberry and Android platforms.

“Cyberattacks are constantly evolving to take advantage of the latest trends. As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example,” said Gabi Reish, Head of Product Management at Check Point Software Technologies. “The best way to prevent these attacks is with a multi-layered security solution that spans network, data, and endpoints, powered by real time threat intelligence.”

In the on-going battle between cyber-criminals and IT infrastructure designers, cyberattacks have become more sophisticated. The Eurograbber attack has found the weakest link in the chain, the banking customers and their devices. In this case by unwittingly installing malware on their PC and phone the victims allowed the attackers to launch and automate their attacks and avoid traceability.

Checkpoint has notified the banks involved and it is actively working with law enforcement  agencies to halt any current or future attacks. The report ends by reminding  individual users that they must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible.

14% of home PCs are infected with malware

(LiveHacking.Com) – A new report has found that approximately 14 percent of home networks are infected with malware. The Kindsight Security Labs report, which highlights infections from April through June 2012, also says that the number of high-level threats, such as bots, Trojans and backdoors, increased by 50 percent when compared to the first three months of 2012.

According to the report 14% of residential households, which have fixed broadband, show evidence of malware infection. 9% of these households were infected by high threat level malware such as a botnet, rootkit or a banking Trojan. It is estimated that there are 100,000,000 households with broadband in the USA. That means that 14,000,000 households in the USA have malware on a computer somewhere in the home. Worse still that 9,000,000 of those households have a serious malware infection including a rootkit or a banking Trojan.

The primary way in which these computers get infected is via e-mail messages that lure victims to web sites running an exploit kit. The victim would typically receive an e-mail message from a business (like a bank or PayPal) or a government agency (like the IRS) informing them of an issue with their account. The link takes the user to a fake site (which looks reasonably close to the authentic one) but the fake site uses malicious techniques to infect the victim’s computer. Once infected the attacker goes on to install the malware of their choice, often a rootkit botnet such as Alureon or ZeroAccess.

Alternatively, the e-mail could just take the users directly to a download, often for fake anti-virus software which is actually a Spambot or a banking Trojan like Zeus or SpyEye. Or the e-mail will simply contain a zip file containing an executable malware file.

With the London Olympics approaching fast, McAfee also noticed a sharp increase in the number of Olympic related spam e-mails. These global event related e-mails are also a popular method used by hackers to lure users to follow links to malware infested sites.

“In recent months, we’ve seen the ZeroAccess botnet update its command and control protocol and grow to infect more computers while connecting to over one million computers globally,” said Kevin McNamee, security architect and director, Kindsight Security Labs. “The concern with ZeroAccess is that it is using the subscriber’s bandwidth maliciously which will cost them money as they exceed bandwidth caps. And, once the computer is compromised, it can also spread additional malware or launch new attacks.”

The report also highlights the recent Mac Flashback infection which infected 10% of home networks with Mac computers during the month of April.

ENISA tells banks to assume that all customer PCs are infected with malware

(LiveHacking.Com) – The EU’s cyber security agency ENISA (European Network and Information Security Agency) has released a report in response to the “High Roller” cyber-attacks. These attacks targetted corporate bank accounts and, according to a  report recently published by McAfee and Guardian Analytics, are responsible for the loss of tens of millions dollars.

As part of the recommendations, ENISA has told the banking industry to  assume that all PCs are infected with malware. The  “High Roller” cyber-attacks used the infamous Zeus malware, which isn’t universally detected by anti-malware programs and as such it is safer for banks to assume that all of its customers’ PCs are infected.

The report also mentions that basic two factor authentication does not prevent man-in-the-middle attacks on transactions. Therefore, ENISA recommends that banks cross check with their customers the details of certain types of transactions. These  cross checks can be performed via SMS or a telephone call.

ENISA also calls on the different national Computer Emergency Response Teams (CERTs) and law enforcement agencies to cooperate closer to help bring down the command and control servers used by the criminals.

The recommendations have been published due to the  nature of the “High Roller” attacks. First, these attacks are highly automated making them fast and easily missed. Second, the attacks are sophisticated with the ability to bypass two-factor authentication and fraud detection. Thirdly, the attacks are highly targeted.  Only PCs from users with corresponding high balances were targeted.

Microsoft Moves Against Zeus Botnets With New Action Codenamed Operation b71

(LiveHacking.Com) – Microsoft is no stranger to fighting botnets. Over the last eighteen months it has led a varirty of operations (b49b107 and b79) to dismantle botnet networks which are used to conduct various criminal activities including spamming, click fraud, and malware distribution. This week, together with partners in the financial services industry, Microsoft led Operation b71 a new action to disrupt Zeus (Win32/Zbot) botnets.

Zeus botnots are complex and Microsoft have not been able to shutdown every botnot in existence (and nor was that its goal), however  Microsoft expect that Operation b71 will significantly impact the cybercriminals’ operations and infrastructure. Operation b71, which targeted the command and control infrastructure of various botnets using ZbotSpyeye and Ice IX variants of the Zeus family of malware, was carried out by Microsoft together with the Information Sharing and Analysis Center (FS-ISAC), the Electronic Payments Association (NACHA), Kyrus Tech and F-Secure.

After a months of investigation and a successful pleading before the U.S. District Court for the Eastern District of New York there was a coordinated seizure of command and control servers in Scranton, Penn. and Lombard, Ill. (which are some of the worst known Zeus botnets). This has disrupted the net and yielded valuable evidence and intelligence.

The Zeus malware uses keylogging to record a victim’s keystrokes to monitor online activity and gain access to usernames and passwords in order to steal a victim’s identity, take money from their bank accounts and make online purchases.

“Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit. Overall, Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone,” wrote Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit.

The operation culminated in the physical seizure of command and control servers. Representatives from Microsoft, FS-ISAC and NACHA were escorted by U.S. Marshals during the operation. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” added Boscovich.

Source Code for ZeuS Trojan Horse Freely Available on the Internet

The source code for the ZeuS trojan horse (sometimes known as Zbot), that steals banking information by keystroke logging and form grabbing, has been leaked on to the Internet. Peter Kruse of CSIS, a security company from Copenhagen, has confirmed that the archive file, which is available from several underground forums, compiles and is indeed the genuine thing.

According to The H, the source code is for version which is thought to be the latest version. Previously copies of ZeuS sold for several thousand dollars among cyber criminals and organized crime gangs.

The archive file contains a builder that generates the malware executable and Web server files (PHP, images, SQL templates) for use as the command and control server.

How or why this source code has appeared on the net is unclear, however it was reported last year the ZeuS’ creator had retired and turned over the source code to ZeuS to his long time rival.

ZeuS has already caused a lot of damage and its release on the Internet could mean it now poses a greater threat that ever before.

ZeuS crimeware variant targets Windows Mobile, Symbian and BlackBerry phones

ZeuS Mitmo, a variant of ZeuS crimeware, has started attacking clients of ING in Poland by targeting the two-step authentication process used by the bank.

The attack has two components, first the user’s PC is infected with the ZeuS malware which adds a legitimate looking field to ING’s web page. This extra field asks the user for their phone number. Once entered the user receives a fake SMS from the bank with a link to the mobile part of the attack. Once installed the mobile malware forwards the real authentication messages from the bank (used during login) to another phone.

Now armed with the user name and password (from the infected PC) and the authentication code SMS from the infected phone, the attacker can login to the victims online banking service.

This isn’t the first time this type of attack has been launched against online banking systems which use SMS messages for authentication. A similar ZeuS Man-in-the-mobile attack was reported in Spain last year.

Apple is often criticized for the amount of control it has over its app store, but this is one example of how being able to freely install apps from anywhere can lead to disastrous consequences.

61% of all Web-based Malware Created With DIY Kits

Symantec has released a new report on attack toolkits and their increasing use for creating DIY malware. Since attack toolkits can be used by novices and experts alike the new report has found that these DIY malware kits are now being used by more traditional criminals to create new waves of organized cybercrime.

As an example, the Symantec point to the case of the ZeuS attack kit which steals bank account credentials. In September 2010 police broke a ring of cybercriminals who, it is alleged, used a ZeuS botnet in the theft of more than $70 million from online banking and trading accounts over an 18-month period.

Other popular packs include MPack, Neosploit, ZeuS, Nukesploit P4ck, and Phoenix. The increased popularity of these attack kits has spawned an underground economy in the buying and selling of these suites. For example in 2006, WebAttacker, a popular attack toolkit, sold for $15 on the underground economy. In 2010, ZeuS 2.0 has been advertised for up to $8,000.

“In the past, hackers had to create their own threats from scratch. This complex process limited the number of attackers to a small pool of highly skilled cybercriminals,” said Stephen Trilling, senior vice president, Symantec Security Technology and Response. “Today’s attack toolkits make it relatively easy for even a malicious novice to launch a cyberattack. As a result, we expect to see even more criminal activity in this area and a higher likelihood that the average user will be victimized.”

The prediction for 2011 is that as more and more traditional criminals enter the foray the number of attacks will increase.

SpyEye Tracker

Abuse.ch. has lunched a new project, SpyEye.  With reference to the project website,  SpyEye Tracker is similar to the ZeuS Tracker but SpyEye Tracker tracks and monitors malicious SpyEye Command & Control Servers and not ZeuS Command & Control Servers.

SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the Command & Control servers.

SpyEye Tracker could be helpful for the ISPs, CERTs and Law Enforcement to track malicious SpyEye Command & Control servers to combat with the cyber criminals.