Zeus is a botnet package that allows for the easy creation and command and control of a botnet. We've discussed Zeus previously in Zeus, King of the Underground Crimeware Toolkits. The main purpose of Zeus is to steal online credentials such as online banking passwords, but it can be configured to steal passwords from any online site.
Today, the BBC is reporting that police in the UK have arrested two suspects in relation to Zeus. While the details are preliminary, the two likely appear to be users of the Zeus botnet package rather than the actual creators, and thus the prevalence and usage of Zeus is likely to continue.
We've created a research paper providing more in-depth information on Zeus, including how the bot is created, what functionality it has, and additional screenshots on...
A Blackberry application called PhoneSnoop was released recently, which resulted in an advisory from US-CERT. The application allows remote users to listen in on a Blackberry user’s surroundings.
The application as seen when installed on a Blackberry
The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.
We’d consider this application just a proof of concept for a variety of reasons, including the author himself...
SMS phishing (“SMSishing”) occurs when you receive an SMS message that is purportedly sent from a reputable source, such as your bank, asking for personal details. Although SMSishing first started a few years ago, a couple of recent SMSishing attempts directed at some colleagues of mine provided a good opportunity to document the attack.
The attacks start when attackers use automated services that allow sending many SMS messages at once and send messages such as the following:
FRM:3106******@*********.com
MSG:H*****FCU Notice: Please contact us immediately at 6366******
Or:
FRM:F**
SUBJ:Alert
MSG:F****** Alert. Unusual activity - Call now at 1-(888)3**-****
In the above two cases, the bank names and phone numbers are censored, but the messages typically follow the same pattern of specifying a bank and that there is some type of urgent need for you to contact them. When you call the number you...
As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes.
The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the...
Editor’s Note: This is the seventh installment of a multi-part series on specific and interesting aspects of W32.Downadup.
While Downadup’s RPC exploit method of spreading has been highlighted in several recently posted blog articles, the worm spreads via other methods as well. One of the potentially more noticeable methods is through network shares, especially in enterprise environments.
Downadup attempts to copy itself to other machines using the administrative network share (ADMIN$) that exists by default on Microsoft Windows machines. However, copying itself to the share requires authentication. This requirement leads to some noticeable...
In a previous blog entry we mentioned some of the press reports regarding Bankpatch and Nadebanker. We wanted to follow up with some additional insight on these threats.
Bankpatch is customized to target certain regions and certain banks, most recently with activity in Denmark. Our latest “heatmap” of infections shows Denmark as being still quite red when compared to other countries.
If you were searching the Internet for videos of the American Idol TV show, you might have received a bigger dose of reality than you were expecting. Unfortunately, one of the more popular video link aggregators was hosting infected advertisements on their site.
Advertising networks are a popular platform with malicious code authors when trying to gain a widespread distribution of their malware. They provide advertising networks with a URL that is supposed to point to their advertisement, but instead of only displaying an ad, they redirect the users to a rogue website. In this case, the advertisement was redirecting Web browsers to a PDF file that was using the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability to install a malicious executable on the browser’s host system. (Please note that this vulnerability is resolved in Adobe Reader 8.1.3 and Adobe Reader...
Reports about Trojan.Bankpatch.C, a sophisticated online banking Trojan, have been hitting the news wires in Denmark. The first version of this threat was released in 2007 and the latest .C variant in August of 2008.
However, the life of the threat continues today as the authors continue to distribute the threat and update plug-in modules that target specific banks. Most recently they’ve seen some success in Denmark deploying modules specifically focused on obtaining online banking credentials for numerous Danish banks. While Symantec is continuing deeper analysis of the threat’s latest actions and modules, we wanted to provide a high-level overview of the threat.
Usually Bankpatch will arrive via a popular means of infection such as Web pages hosting exploits against Internet Explorer and third-party browser plug-in...
Editor’s Note: This is the sixth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Among other methods, Downadup infects other machines via a remote procedure call (RPC) exploit against the MS08-067 vulnerability. Using the vulnerability, the worm injects shellcode that connects back to the infecting machine. This is known as a back-connect. The back-connect works via HTTP on a randomly selected port and the infecting machine responds to incoming requests by providing the entire worm file. The shellcode receives this file and executes it on the remote host, causing it to then become infected.
Editor’s Note: This is the fifth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
The ability of a threat to widely replicate often depends on its algorithm of finding other computers on the Internet, which are represented by an IP address. Downadup uses a variety of techniques to scan for new machines in order to maximize its infection abilities and at the same time minimize the chance of being noticed on a host.
Brute-force network scanning can cause noticeable slowdowns and network issues on the infected machine. Downadup attempts to limit its impact in two ways. Firstly, the worm contacts two well known websites and calculates the computer’s average bandwidth, then uses this value to configure how many simultaneous remote procedure call (RPC) exploit scans are allowed at one time. Secondly,...
Editor’s note: This is the first article in a multi-part series on specific and interesting aspects of W32.Downadup.
While many researchers, including us, are speculating on the magnitude of infections from Downadup (a.k.a. Conficker), we are also all waiting for the other shoe to drop. At this point, Downadup has replicated to potentially millions of machines but there has been no additional payload—yet. Ten years ago, just replicating was enough motivation in creating malicious code, while today the vast majority of malware has a monetary motivation. Based on previous variants and characteristics of the code, we believe the worm is associated with a well known malware gang that has previously distributed a variety of adware, and more recently misleading applications (a.k.a. rogue antispyware products).
All of the recent rumors about Google releasing a "gPhone" were finally put to rest with their release of Android, which is a software stack for mobile devices. Android includes an operating system (Linux), middleware, and some default applications like a browser.
(Click for larger image)
Applications are developed using Java and use a framework provided by Google including their own virtual machine (Dalvik virtual machine). The entire framework is open source and Google (as part of the Open Handset Alliance) wants to bring openness to the mobile ecosystem, allowing anyone to write applications and make use of all of the functionality available on handsets.
Some of us (Ollie Whitehouse, Eduardo Tang, and myself) are happy owners of the iPhone. However, not because we are constantly listening to music or using a pinching motion with our fingers to see pictures zoom and shrink, but because we get to analyze the attack surface. While the iPhone itself will surely evolve via new models, software, and patches, this blog will consist of a rundown of our initial thoughts.
In the default out-of-the-box configuration for the average user, you can not run code on the device. This makes the platform less risky than other mobile platforms and desktop operating systems like Windows. If you can't run code, you can't run malicious code. Further, the AJAX/Web 2.0 applications that can utilize the phone's services (such as the ability to make calls) normally prompts the user before the action takes place. This prevents automatic dialing and things like SMS worms.
The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.
However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.
With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...
The MPack toolkit has received a fair amount of media attention causing it to become oneof the most desired Web browser exploit toolkits in the undergroundhacker scene. The original author was selling the MPack toolkit for$1000 USD, including a year of free support, and additional exploitmodules for around $100 USD.
However, considering the toolkit is written in a script language, itis easy to redistribute and modify. The toolkit is being sold by othersnow for as low as $150 USD. That is a whopping 85% off. Talk aboutclearance sale. The sellers likely didn't even need to buy itthemselves, but rather probably found some of the multiple Web sitesthat did not employ standard Web site protections, allowing them todownload the whole kit for free.
With the toolkit available in the underground scene and evenavailable to almost anyone for a mere...
