ScanSafe STAT Bloghttp://blog.scansafe.com/journal/en-US2010-03-21T13:52:15ZSquarespace Site Server v5.9.3 (http://www.squarespace.com/)Troyak Gets Serviced by Zeus Providerhttp://blog.scansafe.com/journal/2010/3/16/troyak-gets-serviced-by-zeus-provider.htmlMary Landesman2010-03-16T21:34:41ZLast week, on March 9th, upstream providers de-peered Troyak-AS, a significant service provider for Zeus c&c servers. Since then, Troyak-AS has bounced to multiple other upstream providers, each subsequently choosing to de-peer the account shortly thereafter. With zero traffic on the 13th and 14th, it appeared the continued takedown efforts had finally met with permanent success. On the 15th, however, our ongoing traffic analysis indicated that Troyak-AS was once again servicing Zeus traffic. Investigation revealed the latest upstream providers are:

AS31366
smallshop-as

and

AS12604
citygame-as

Both upstream providers are registered to Vladimir Vasulyovich in Moscow. In an interesting and disturbing twist, Citygame-AS has also previously been implicated as a service provider for other Zeus c&c servers.

Throughout 2009, Zeus malware traffic comprised 1% of ScanSafe Web malware blocks. This trend continued to 2010, up until March 7th when Zeus traffic suddenly spiked to 12% of all Web malware. Deeper analysis revealed the largest percent of that traffic spike was a result of Troyak-serviced Zeus traffic. The timing of the spike (two days prior to the first takedown) and the unprecedented volume increase suggest the Zeus bot herders may have had forewarning of the impending takedown. If so, this would have given the attackers opportunity to redirect their bots to other command and control locations.

Whether existing bots were or were not redirected may be a moot point. Now that Troyak-AS has partnered with Citygame-AS for upstream service - and both providers have been implicated in servicing known Zeus c&c servers, will the takedowns continue? Or has Troyak indeed found bulletproof hosts willing to turn a blind eye to the supply chain of data theft trojans that are the hallmark of Zeus?

]]>Energizer Software a RAT in Bunny Clothes?http://blog.scansafe.com/journal/2010/3/9/energizer-software-a-rat-in-bunny-clothes.htmlMary Landesman2010-03-09T16:29:07ZYesterday, news broke that the software used with the Energizer DUO - USB Charger contained a remote access trojan (RAT) aka backdoor. This certainly is not the first electronic device to come pre-infected with malware. Digital picture frames, USB drives, even factory-installed hard drives have harbored stowaway malware.

What makes the Energizer DUO - USB Charger infection so interesting is that it apparently existed for quite some time before anyone even noticed. Security pro Kurt Wismer details how even he was infected by the trojan, despite employing pretty good security practices - including up-to-date antivirus and patches. For Kurt's firsthand account, see: The Energizer Bunny Looks More Like a RAT.

]]>Tsunami Threat May Lead to Surge in Social Engineering Scamshttp://blog.scansafe.com/journal/2010/2/27/tsunami-threat-may-lead-to-surge-in-social-engineering-scams.htmlMary Landesman2010-02-27T18:05:22ZAn 8.8 magnitude earthquake struck Santiago, Chile on February 27th at 06:34GMT. Sea level detectors have reported activity consistent with tsunami generation, with much of the Pacific area subsequently under tsunami watches or warnings.

In conjunction with the very real physical threat of tsunamis, folks will need to be on alert for a corresponding surge in tsunami-themed scams. This may include malicious links planted in search engine results for popular keywords such as tsunami, earthquake, chile, and hawaii.

]]>Understanding SQL Injection the Hard Wayhttp://blog.scansafe.com/journal/2010/2/26/understanding-sql-injection-the-hard-way.htmlMary Landesman2010-02-26T16:16:56ZWhat do you get when you cross a room full of skeptical business executives with a security researcher teaching about SQL injection?

A Big Case of ...OOPS.

]]>Can't Login to Facebook...http://blog.scansafe.com/journal/2010/2/24/cant-login-to-facebook.htmlMary Landesman2010-02-24T23:05:54ZReadWriteWeb wrote a blog post titled "Facebook Wants to Be Your One True Login". Google indexed the page, so it quickly appeared at the top of search engine listings for "Facebook login". Amazingly, a rather large number of people landed on the blog from Google searches, didn't realize they weren't on the Facebook login page, and began leaving comments. Here's a sampling:

#
Ok If I have to I will comment,I love facebook so right now just want to log in if thats ok with you..lol Keep up the good work...
#
I just want to sign in............
#
I just want to log in to Facebook - what with the red color and all? #
#
I was just learning,why would you mess it up?
#
ok cool now can I get to facebook
#
wtf is this bullshttttttttttt all about. can i get n plzzzzzzzzz
#

Reading the comments, linguistically the majority of the "lost loggers" appear to be younger. This would be a generation that grew up with a "Popcorn" button on the microwave. And it begs the quite serious question, if the popcorn button failed, would they know how to pop it any other way? I don't mean using a stove, a pan, and some oil either - but simply the ability to program in the right amount of time?

I ask this because the thread, funny at times but mostly quite sad, indicates that a large number of Web surfers have no understanding of even the very basics of their Web browser. And because they are used to accessing sites via search engines, they aren't at all familiar with the address bar - much less how a URL is formed.

If users don't understand the basics of how a normal URL is formed, how can they ever recognize a malformed URL that points to a phishing site? Likewise, if these users cannot distinguish a valid search engine listing for Facebook from a listing for a blog discussing Facebook, how can they even begin to decipher spamdexing listings?

And if they can't do any of the above, how will those of us in the security industry ever be able to help them understand the sophisticated and highly criminal attacks that are taking place via the Web today? Because while it might be tempting to chuckle at these users' lack of basic understanding of how the Web works, the thing is that most of them probably have jobs. They could even be working in your own enterrpise. And it's your intellectual property that's at stake. And it's these very same users that might be the only thing standing between your sensitive data and those that would steal it.

It's not funny. It's downright scary.

]]>Zeus "Kneber" Botnet Cache Discoveredhttp://blog.scansafe.com/journal/2010/2/18/zeus-kneber-botnet-cache-discovered.htmlMary Landesman2010-02-18T21:31:53ZEarlier today, security firm NetWitness reported the discovery of a cache of stolen data harvested by the Zeus botnet. According to that report, the stolen data "included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines."

Somewhere along the line, people began referring to this attack as the "Kneber botnet". In reality, it's still Zeus. The reason some folks have nicknamed it Kneber is that the malware domains involved in this particular branch of the Zeus botnet have "Hilary Kneber" listed as the domain registrant. Of course, Hilary Kneber is likely a completely made-up name.

The Zeus botnet has been active on the Web for over a year. In our 1Q08 Global Threat Report, ScanSafe reported on the surge of Zeus-related activity via the Web and specifically it's joining forces with the LuckySploit framework.

Zeus malware is known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session, as well as clipboard data passed to the browser. Zeus malware also typically disables firewalls and other security software on infected systems, as well as blocking access to security vendor websites and services. For example, Zeus can prevent antivirus signatures from being updated. Zeus trojans also employ rootkits to remain hidden on infected systems.

In 2009, malware associated with Zeus accounted for 1% of all ScanSafe Web malware blocks for the year. (For more details on botnet activity, download the ScanSafe 2009 Annual Global Threat Report). For the "Kneber" domains specifically, some of the detection names related to those blocks include:

Backdoor.Win32.Agent.amsu
Backdoor.Win32.Goolbot.as
Backdoor.Win32.HareBot.anq
Exploit.JS.DirektShow.y
Exploit.JS.Pdfka.amf
Exploit.JS.Pdfka.apf
Exploit.JS.Pdfka.arr
Exploit.JS.Pdfka.ast
Exploit.JS.Pdfka.atz
Exploit.JS.Pdfka.azm
Exploit.JS.Pdfka.bgj
Exploit.Win32.Pidief.bmr
Exploit.Win32.Pidief.cvw
Heuristic
oi.pdf.explt.07-5659
oi.pdf.explt.08-2992
oi.pdf.susp
oi.script.activeX.funcArg
oi.script.overflow
oi.win32.susp.AS
oi.win32.susp.CH
oi.win32.susp.CJ
oi.win32.susp.GB
oi.win32.susp.GV
oi.win32.susp.QE
oi.win32.susp.QK
oi.win32.susp.US
oi.win32.susp.WH
oi.win32.susp.YK
oi.win32.susp.YU
Packed.JS.Agent.bm
Packed.JS.Agent.bo
Trojan.JS.Agent.akm
Trojan.JS.Agent.aqe
Trojan.JS.Agent.avb
Trojan.JS.Agent.axw
Trojan.JS.Iframe.ef
Trojan.JS.Pakes.bq
Trojan.JS.Redirector.ag
Trojan.JS.RSAcrypt.a
Trojan.Win32.Agent.clsj
Trojan.Win32.Agent2.krj
Trojan.Win32.Agent2.ksd
Trojan.Win32.Scar.axus
Trojan.Win32.Small.bzh
Trojan.Win32.Tdss.avey
Trojan-Clicker.HTML.IFrame.fh
Trojan-Clicker.HTML.IFrame.g
Trojan-Clicker.JS.Iframe.bj
Trojan-Downloader.Java.Agent.ab
Trojan-Downloader.Java.Agent.af
Trojan-Downloader.Java.Agent.aj
Trojan-Downloader.Java.OpenStream.ad
Trojan-Downloader.Java.OpenStream.af
Trojan-Downloader.JS.Agent.esk
Trojan-Downloader.JS.Agent.euq
Trojan-Downloader.JS.Agent.evq
Trojan-Downloader.JS.Kazmet.b
Trojan-Downloader.JS.Kazmet.f
Trojan-Downloader.JS.Kazmet.g
Trojan-Downloader.JS.Major.a
Trojan-Downloader.JS.Major.e
Trojan-Downloader.JS.Plif.a
Trojan-Downloader.Win32.Agent.bxmo
Trojan-Dropper.Win32.Agent.bjzy
Trojan-Dropper.Win32.BHO.bo
Virus.Win32.Virut.ce

Note that detection names are generic - not all malware blocked by one of these threatnames will be related to the Kneber branch of the Zeus botnet. Following are some of the domain names and IP addresses associated with the Kneber branch of Zeus:

58.218.199.239
59.53.91.102
60.12.117.147
61.235.117.71
61.235.117.86
61.4.82.216
193.104.110.88
95.169.186.103
222.122.60.186
217.23.10.19
85.17.144.78
200.106.149.171
200.63.44.192
200.63.46.134
91.206.231.189
124.109.3.135
61.61.20.134
91.206.201.14
91.206.201.222
91.206.201.8
216.104.40.218
69.197.128.203
123.30d5546ce2d9ab37.d99q.cn
d99q.cn
524ay.cn
adcounters.net
adobe-config-s3.net
mywarworld.cn
aqaqaqaq.com
avchecker123.com
bizelitt.com
biznessnews.cn
bizuklux.cn
fcrazy.com
fcrazy.eu
boolred.in
brans.pl
britishsupport.net
bulkbin.cn
chaujoi.cn
checkvirus.net
chinaoilfactory.cn
chris25project.cn
client158.faster-hosting.com
cwbnewsonline.cn
cxzczxccc.com.cn
dasfkjsdsfg.biz
dia2.cn
digitalinspiration.e37z.cn
dolbanov.net
dolcegabbana.djbormand.cn
djbormand.cn
download.sttcounter.cn
sttcounter.cn
dred3.cn
dsfad.in
e37z.cn
e58z.cn
electrofunny.cn
electromusicnow.cn
elsemon.cn
fcrazy.info
filemarket.net
flo5.cn
footballcappers.biz
fobsl.cn
forum.d99q.cn
gamno6.cn
gidrasil.cn
gifts2010.net
ginmap.cn
giopnon.cn
gksdh.cn
glousc.com
gnfdt.cn
gold-smerch.cn
goldenmac.cn
google.maniyakat.cn
maniyakat.cn
greenpl.com
grizzli-counter.com
grobin1.cn
inpanel.cn
itmasterz.org
iuylqb.cn
kaizerr.org
keepmeupdated.cn
khalej.cn
kimosimotuma.cn
klaikius.com
klitar.cn
kolordat482.com
kotopes.cn
liagand.cn
love2coffee.cn
majorsoftwareupdate.info
marcusmed.com
mcount.net
mega-counter.com
monstersoftware.info
morsayniketamere.cn
mydailymail.cn
mynewworldorder.cn
newsdownloads.cn
nit99.biz
nm.fcrazy.com
nmalodbp.com
not99.biz
online-counter.cn
pedersii.net
piramidsoftware.info
popupserf.cn
qaqaqaqa.com
qaqaqaqa.net
qbxq16.com
redlinecompany.ravelotti.cn
ravelotti.cn
relevant-information.cn

]]>Hacking Arrest Warrant Issued for Tour de France Cyclisthttp://blog.scansafe.com/journal/2010/2/15/hacking-arrest-warrant-issued-for-tour-de-france-cyclist.htmlMary Landesman2010-02-15T18:56:38ZI've heard hacking referred to as a sport, but never before hacking for a sport.

]]>ScanSafe Annual Global Threat Reporthttp://blog.scansafe.com/journal/2010/2/12/scansafe-annual-global-threat-report.htmlMary Landesman2010-02-12T19:35:25ZWhat does a trillion Web requests tell us about the state of the Web today? It's not a pretty story. Critical verticals are at heightened risk of attack via the Web. Most disturbingly, data theft trojans continue to be particularly problematic for companies in critical sectors:

Energy & Oil (356% increase)
Pharmaceutical & Chemical (322% increase)
Government (252% increase)
Banking & Finance (204% increase)

Not unexpectedly (for those watching the numbers), the Gumblar botnet dominated in 2009, at 14% of all Web malware blocks compared to Asprox (2%) and Zeus (1%). Overall, 19% all Web malware were direct encounters with data theft trojans and 23% of all Web malware encounters were zero-day threats not blocked by signatures (but picked up by ScanSafe's Outbreak Intelligence). Also not a surprise - malicious PDF's were the most commonly encountered exploit, seconded by Flash.

Overall, Web malware more than doubled throughout the year from an average of 8 encounters per day per customer at the beginning of 2009 to 19 encounters per day at the end of 2009.

The complete ScanSafe Annual Global Threat Report can be downloaded here.

]]>Microsoft Releases Out-of-Band IE Patchhttp://blog.scansafe.com/journal/2010/1/21/microsoft-releases-out-of-band-ie-patch.htmlMary Landesman2010-01-21T22:58:35ZMicrosoft has released MS10-002 in response to zero day exploits alleged to have been used in attacks on Google, Adobe, and numerous other companies in early December. Described as a 'cumulative security update for Internet Explorer', the patch includes fixes for at least 8 separate vulnerabilities impacting nearly all versions of Internet Explorer from 5 through 8.

]]>McAfee Claims IE, not Adobe Flaw, to Blamehttp://blog.scansafe.com/journal/2010/1/14/mcafee-claims-ie-not-adobe-flaw-to-blame.htmlMary Landesman2010-01-15T00:48:00ZAntivirus vendor McAfee is disputing earlier reports that a zero day vulnerability in Adobe products was to blame for the attacks on Google. According to a statement by George Kurtz of McAfee, the vendor is "working with multiple organizations that were impacted by this attack as well as the government and law enforcement. As part of our investigation, we analyzed several pieces of malicious code that we have confirmed were used in attempts to penetrate several of the targeted organizations." (McAfee has dubbed the incident "Aurora").

The McAfee report also stated that the malware they observed was targeting Internet Explorer 6. Microsoft has confirmed the vulnerability and released security advisory 979352 regarding the incident. However, it is not clear from the McAfee statement whether Google is among those companies working with McAfee.

Compounding the question, of course, is the delicate matter of forensics. Even with very straightforward Web attacks, the attackers frequently switch out the malcode. In a highly targeted attack, every aspect of the attack can be swapped out for each specific target. On any given day, even with the most routine of compromises, malware and exploits used are often swapped to avoid detection, hamper forensics, or up the ante.

Further, exploits today are hardly static. The exploit that gets delivered is usually entirely dependent on the configuration of the victim's computer. It seems highly improbably that an attack described as "highly sophisticated and highly targeted" would rely solely on a zero day vulnerability in an outdated browser.

Compounding matters, Google discovered the additional corporate victims in the course of their own investigation, which obviously would have taken place after the breach was discovered. These victims were then notified by Google, thus any forensics they would have done would have been well after the fact and likely would not pertain specifically to the attack as it took place live. As such, despite the eagerness of all the fringe investigators, likely the only ones who actually know what zero day exploits were truly involved are the attackers themselves.

]]>