December 16th, 2012 12:22
writes “The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected ‘hundreds POS systems’ including those operated by ‘big-name retailers, hotels, restaurants and even private parking providers.’ Now a detailed analysis by Verizon’s RISK team suggests that Dexter may be a Lcreation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter’s command and control were also used to host Zeus related domains and several domains for Vobfus, also known as ‘the porn worm,’ which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, ‘hgfrfv,’ that was used to post a number of suggestive help requests (‘need help with decrypting a table encrypted with EncryptByKey’) in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists ‘hgfrfv’ as an individual residing in the Russian Federation.”
Source: Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus
Categories: slashdot analysis, c amp, command, control, dexter, Dexter Malware, e mail address, malware, mystery man, risk team, shell account, Verizon, Zeus
wiredmikey writes “Despite its significant user base within enterprises, BlackBerry devices have managed to stay off the radar for malware writers. That may be ending, as four new Zeus-in-the-mobile (Zitmo) samples targeting BlackBerry users in Germany, Spain, and Italy have been found. Zitmo, which hit Android devices back in July 2011, refers to a version of the Zeus malware that specifically targets mobile devices. Denis Maslennikov, a security researcher at Kaspersky Lab, also identified a new Zitmo variant for Android using the same command and control (C&C) numbers as the BlackBerry versions. While previous Android variants have been primitive, the latest .apk dropper, which shows up as an app ‘Zertifikat,’ looks ‘more similar to “classic” Zitmo,’ he said. When executed, it displays a message in German that the installation was successful, along with an activation code. The Android sample also included a self-issued certificate that indicates it was developed less than a month ago.”
Source: Zeus Trojan Hits Blackberry Devices
Categories: slashdot activation code, Android, APK, BlackBerry, c amp, control c, Denis Maslennikov, Germany, Italy, malware, Spain, wiredmikey, Zeus, Zeus Trojan, Zitmo
writes “The nasty Trojan known as Citadel malware, which is based on Zeus, has typically been used to extort money from online banking users, but a new variant is making the rounds that tries to get your money by saying you looked at child porn sites and must pay a violation fee to the U.S. Department of Justice. This variation, called Reveton, lures the victim to a drive-by download website, at which time the ransomware is installed on the user’s computer, says the U.S. Internet Crime Complaint Center (IC3). Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law.”
Source: US Warns Users of Child-Porn Blackmail Ransomware
Categories: slashdot child, child porn sites, computer, internet crime complaint center, Justice. This, law source, money, porn, Ransomware, U.S. Department, U.S. Internet, US, user, Zeus
wiredmikey writes “Today, Microsoft announced in what it called its ‘most complex effort to disrupt botnets to date,’ the company in collaboration with partners from the financial services industry, have successfully taken down operations that fuel a number of botnets that make us of the notorious Zeus family of malware. In what Microsoft is calling ‘Operation b71,’ Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois. The move was to seize and preserve data and evidence from the botnets for the case. In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus. “
Source: Microsoft Leads Sting Operation Against Zeus Botnets
Categories: slashdot amp, c amp, command, control, Illinois, Lombard, lombard illinois, Microsoft, Operation, Pennsylvania, scranton pennsylvania, sting operation, U.S., U.S. Marshals, Zeus, Zeus Botnets
dsinc sends this quote from a Symantec report: “In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users’ online banking credentials, webmail credentials, and cookies. The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid.”
Source: Anonymous Supporters Tricked Into Installing Trojan
Categories: slashdot Anonymous, botnet, DDoS, denial of service, denial of service dos, DoS, dos tool, ion cannon, low orbit, support, Zeus
February 25th, 2012 02:27
c0mpliant writes “Researchers at Symantec have identified a new variant of the ZeuS botnet which no longer requires a Command and Control server. The new variant uses a P2P system, which means that each bot acts like a C&C server, but none of them really are. The effect of which is that takedowns of such a network will be extremely difficult because there is no one central source to attack.”
Source: New ZeuS Botnet No Longer Needs Central Command Servers
Security researchers have identified the person responsible for about 22% of all spam on the Internet. Ironically, the individual responsible for running the spam operation through the so-called “Cutwail” botnet goes by the codename “Google.” Krebs On Security cracked the case on the malicious hacker responsible for much of the spam that cripples email inboxes across the world.
Hundreds of chat logs were discovered by investigators between “Google” and the co-founder of a spam operation called “SpamIt.” These logs, discovered on Stupin’s computer by Russian investigators, gave a detailed look into how “Google” rans Cutwail and how he built the largest spam network on the planet.
Cutwail, SpamIt & Russian Spammers
Cutwail operates by using the botnet as an engine that it rents to a community of spam affiliates, according to research done by the University of California, Santa Barbara and Ruhr-University Bochum in Germany. Clients are provided with a Web interface in English and Russian that makes it easy to create spam.
Image: Worldwide spambots in December 2011 from M86 Security.
“Google” rose to fame with Cutwail by affiliating it with SpamIt. Cutwail at first spammed about stocks but found in 2007 that the conversion rate for those were low and switched to pharmacy-related spam. Later, “Google” and Stupin created a scheme to sell original equipment manufacturer software, such as pirated copies of Windows. This new scheme was dubbed “Warezcash.” A meeting was arranged between “Google” and Stupin in which chat logs give “Google’s” mobile phone number.
This is where “Google’s” identity starts to unravel. The phone number, along with a previously known email address, was able to track Web site registration for multiple domains such as antirookit.ru and lancelotsoft.com. These domains were registered to a person named Dmitry S Nechvolod, who is presumed to be “Google.”
Krebs notes that Dmitry S. Nechvolod is not necessarily the real name of “Google.” It could be a fake or a redirection. Krebs does say there are strong connections based on payment information given by “Google” to SpamIt. Through a virtual currency called “WebMoney,” the account that SpamIt sent money to “Google” was registered to a person named “Nechvolod Dmitry Sergeyvich.”
The Cutwail botnet has morphed over the years. It started simple with stocks then pharmacy-related spam. It later moved to OEM software before sending phishing emails with malware attachments from the Zeus and SpyEye Trojans, according to Krebs. Airline tickets, Facebook notifications and other various schemes came later. Cutwait has more recently moved on to “ransomware” attacks in which a malicious hacker takes over a users’ files and attempts to blackmail the recipient to get them back.
Cutwail is still alive and active. After the take down of the Rustock botnet, it was the time for Cutwail to shine. There is good news though in the global war on spam. 2011 saw some of the lowest levels of email-related spam in the last decade at 70% of all email volume in November 2011, according to Symantec (see above image). That is down from its peak of 90%. Part of the decrease is the increased efficiency of security researchers in identifying and taking down botnets. Spammers have also moved to social networks like Twitter, Facebook, Google+ and the comments of popular blogs.
Source: Researchers Identify Notorious Botnet Operator Codenamed “Google”
Categories: readwriteweb botnet, california santa barbara, Cutwail, Germany, google, original equipment manufacturer, ruhr university bochum, russian investigators, S Nechvolod, Santa Barbara, Spam, Spamit, web site registration, Zeus
tsu doh nimh writes “Organized crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to prevent victims from noticing simultaneous high-dollar cyber heists, the FBI is warning. The thefts, aided by a custom variant of the ZeuS Trojan called ‘Gameover,’ are followed by distributed denial of service (DDoS) attacks against banks and the victim customers. The feds say the perpetrators also are wiring some of the money from victim organizations directly to high-end jewelry stores, and then sending money mules to pick up the pricey items.”
Source: Bank Accounts Vulnerable For Victims of ZeuS Trojan Variant ‘Gameover’
September 23rd, 2011 09:42
An anonymous reader tips news that Dell, Intel, and the Texas Advanced Computing Center will be working together to build “Stampede,” a supercomputer project aiming for peak performance of 10 petaflops
. The National Science Foundation is providing $27.5 million in initial funding, and it’s hoped that Stampede will be “a model for supporting petascale simulation-based science and data-driven science.” From the announcement: “When completed, Stampede will comprise several thousand Dell ‘Zeus’ servers with each server having dual 8-core processors from the forthcoming Intel Xeon Processor E5 Family (formerly codenamed “Sandy Bridge-EP”) and each server with 32 gigabytes of memory. … [It also incorporates Intel 'Many Integrated Core' co-processors,] designed to process highly parallel workloads and provide the benefits of using the most popular x86 instruction set. This will greatly simplify the task of porting and optimizing applications on Stampede to utilize the performance of both the Intel Xeon processors and Intel MIC co-processors. … Altogether, Stampede will have a peak performance of 10 petaflops, 272 terabytes of total memory, and 14 petabytes of disk storage.”
Source: 10-Petaflops Supercomputer Being Built For Open Science Community
Categories: slashdot advanced computing center, Dell, Intel, intel xeon processor, intel xeon processors, MIC, national science foundation, parallel workloads, Performance, Sandy Bridge, Science, Stampede, Zeus
Trailrunner7 writes “The source code to the infamous Zeus crimeware kit, which has been sold on underground forums for years, has been leaked and is now available for anyone to see if they know where to look. Security researchers over the weekend noticed that files appearing to contain the source code for the Zeus crimeware kit were starting to pop up on various forums frequented by attackers and cyber-criminals. The Zeus exploit kit is perhaps the most well-known kit of its kind right now, and has been used by a variety of attackers for numerous malware campaigns and targeted attacks.”
Source: Zeus Crimeware Kit Source Code Leaked