Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October, in order for the Payroll Manager to proceed with the transaction? Based on our statistics, tens of thousands of users received these malicious spam emails over the last 24 hours, with the cybercriminal(s) behind them clearly interested in expanding the size of their botnet through good old fashioned ‘casual social engineering’ campaigns.

Sample screenshot of the spamvertised email:

Detection rate for the spamvertised malicious attachment: MD5: 36a685cf1436530686d1967b4a9d6680 – detected by 20 out of 46 antivirus scanners as Win32/TrojanDownloader.Waski.A.

Once executed, the sample starts listening on ports 7442 and 1666.

It then creates the following Mutexes on the affected hosts:
Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}
Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}
Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}
Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}
Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}
Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}
Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}
Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}
Global\{9D48A1E2-9183-66A5-11EB-B06D3016937F}
Global\{9D48A1E2-9183-66A5-75EA-B06D5417937F}
Global\{9D48A1E2-9183-66A5-4DE9-B06D6C14937F}
Global\{9D48A1E2-9183-66A5-65E9-B06D4414937F}
Global\{9D48A1E2-9183-66A5-89E9-B06DA814937F}
Global\{9D48A1E2-9183-66A5-BDE9-B06D9C14937F}
Global\{9D48A1E2-9183-66A5-51E8-B06D7015937F}
Global\{9D48A1E2-9183-66A5-81E8-B06DA015937F}
Global\{9D48A1E2-9183-66A5-FDE8-B06DDC15937F}
Global\{9D48A1E2-9183-66A5-0DEF-B06D2C12937F}
Global\{9D48A1E2-9183-66A5-5DEF-B06D7C12937F}
Global\{9D48A1E2-9183-66A5-95EE-B06DB413937F}
Global\{9D48A1E2-9183-66A5-F1EE-B06DD013937F}
Global\{9D48A1E2-9183-66A5-89EB-B06DA816937F}
Global\{9D48A1E2-9183-66A5-F9EF-B06DD812937F}
Global\{9D48A1E2-9183-66A5-E5EF-B06DC412937F}
Global\{9D48A1E2-9183-66A5-0DEE-B06D2C13937F}
Global\{9D48A1E2-9183-66A5-09ED-B06D2810937F}
Global\{9D48A1E2-9183-66A5-51EF-B06D7012937F}
Global\{9D48A1E2-9183-66A5-35EC-B06D1411937F}
Global\{9D48A1E2-9183-66A5-A9E8-B06D8815937F}
Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}
Global\{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

Drops the following MD5s: MD5: cf8ab39c0a2561eb9df2c22496d20b3b; MD5: 75fe668007e66601724af592f8ca8985; MD5: 6abdc5f7f9599e3971af4202cf4ed4da.

And phones back to the following C&C servers:
offensivejokescolin.com – 38.102.226.253
85.100.41.9
113.161.95.98
172.245.217.122
93.177.152.17
114.24.192.181
63.227.34.28
76.70.9.123
206.190.252.6
60.244.87.31
70.27.195.251
217.36.122.144
173.239.143.42
86.135.144.6
69.95.46.22
85.24.208.124
86.147.226.12
79.129.27.234
94.64.239.197
58.252.57.193
194.250.81.234
62.23.247.20
75.99.113.250
82.91.203.169
178.23.32.115
85.206.22.117
31.192.48.109
187.188.136.31
178.192.71.93
213.96.69.3

The following malicious MD5s are also known to have phoned back to the same C&C servers:
MD5: 3752b2f92671cd051a77b04fd2fed383
MD5: 6bafe2fc65cf34ae6f103121d9325416
MD5: 4ae6a46a228da040fe25db0f419ae727
MD5: ed52d9f9fcc60d12166905e359c99020
MD5: 74e5acef47b9c57c7756cf130e8d4805
MD5: 1888be386f701199b282840cc0c5354f
MD5: 1b2590ee13cf6bda134a162708f8270a
MD5: adb1e09a26a6b22090b23432f0547ba3
MD5: 9b57ac8d44cede55be2079a4b400fffd
MD5: b1e332efb4e83189c7f5e84bc93e205b
MD5: 6c67f2add5a6eacb4c69f9efdbbb8cde
MD5: e65c0fd804992ea7e246f2385e32a0e1
MD5: bba80e9fabb476830d5216f1fa264489
MD5: 4dfa5221aae9945989fd815342d19c12
MD5: 49969b7e553ee03707f1e3ef333c2406
MD5: 86680fde2ef1ab2681262d39369999e8
MD5: 8b45bf7f9f4104c1e15cca8eb7f80581
MD5: c7d1a47b80f7910a03db8fa9791d2aec
MD5: b899ba5037db4babda49603603912bb9
MD5: d3cd3c07a4f82ed30bbc0af597f5391a
MD5: a6cb214dc74fb7aadb22e732720daff0
MD5: 7b821616bf2a78472286d61c19e03bd1
MD5: 9f257f99a479d2f7b19c21255719a995
MD5: bc89a2185ab2f317a5a58e7a7c35daa8
MD5: 916c95e50ec4d6010a2818de50a94ff5
MD5: 32cfae63aa9be58e32829fe6c4f89a85
MD5: e40b6d4953b7923d52b0315429d16c10

Webroot SecureAnywhere users are proactively protected from these threats.

The post Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to malware appeared first on Webroot Threat Blog.

We’ve recently spotted a multi-hop Russian cybercrime-friendly VPN service provider — ad featured not syndicated at a well known cybercrime-friendly community – that is relying on fake celebrity endorsement on its way to attract new customers, in this particular case, it’s pitching itself as being recommended by ex-NSA contractor Edward Snowden. How have anonymization tactics evolved over the last couple of years? Have the bad guys been ‘innovating’ on their way to cover the malicious/fraudulent online activity orchestrated by them? Let’d discuss some of the current trends in this ever-green market segment within the cybercrime ecosystem.

Sample ad featured at the cybercrime-friendly community:

It didn’t take long for cybercriminals to realize the massive potential for abusing already created botnets, in terms of utilizing them as anonymization-based type of infrastructure. Empowering them with the necessary foundations for launching attacks relying on the ‘stepping-stones’ concept, completely mixing the malicious/legitimate logs-free anonymization infrastructure, or setting up multi-hop cybercrime-friendly VPN service providers, these practices added additional layers of anonymity to their Internet activities, primarily relying on basic ‘risk-forwarding’ tactics. Next to the utilization of these concepts, the massive/de-facto adoption of Socks4/Socks5 modular features, found in a huge percentage of modern malware/crimeware/platform releases, helped opportunistic cybercriminals to quickly monetize the market segment, by empowering others with the same capabilities through their “cybercrime-as-a-service” type of underground market propositions.

Throughout 2013, we continued to observe a decent supply of “hacked-PCs-as-a-service“, with some of the market-leading/well known/reputable vendors, still in operation. Moreover, thanks to the general availability of Socks4/Socks5 converted anonymization hosts, we also continue to observe a decent supply of CAPTCHA-based proxy-supporting DIY automatic account registration/brute-forcing tools, Denial of Service (Dos) attack tools relying on hacked/compromised PCs, as well as the now de-factor standard for the cybercrime ecosystem, use of APIs for the purpose of supplying fellow cybercriminals with access to fresh IPs with clean IP reputation.

We expect to continue observing a mix between a purely malicious infrastructure, in combination with legitimate logs-free infrastructure, for the purpose of anonymizing a cybercriminals online activities, successfully bypassing current data retention regulations in place.

The post Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by Edward Snowden’ appeared first on Webroot Threat Blog.

For years, whenever I needed a fresh sample of pharmaceutical scams, I always sampled the Web sites of major educational institutions, where a thriving ecosystem relying on compromised Web shells, continues to enjoy the high page ranks of the affected Web sites for blackhat SEO (search engine optimization) purposes. How are cybercriminals managing these campaigns? What type of tools and tactics do they use? In a cybercrime ecosystem that has logically migrated to Web-based platforms for a variety of reasons over the last couple of years, there are still those who’re keeping it old school, by releasing host-based DIY cybercrime-friendly applications. In this post, I’ll discuss a commercially available Windows-based compromised/hacked Web shells management application.

Sample screenshots of the application in action:

Among the tool’s unique features, is the ability to check the validity of the supplied compromised/hacked shells, various modification options like changing passwords and updating the redirectors, as well as the ability to change .htaccess. Compared to a similar application, which we profiled in July, 2013, we believe that in its current form, the tool profiled in this post doesn’t have the capacity to be utilized for widespread, hard-to-detected mass abuse of compromised/hacked shells.

In 2013, insecurely configured Web applications susceptible to remote exploitation for fraudulent and malicious purposes — think Remote File Inclusion —  the active data mining of a botnet’s infected population, as well as good old fashioned brute-forcing attempts, continue supplying the market segment for compromised/hacked Web shells, with new accounting data, most commonly abused in a typical blackhat SEO style, with the actual campaigns monetized through an affiliate network. We expect that this trend will continue, in combination with what we believe is a resurrection of a proven process for monetizing compromised access to a legitimate Web site, namely, cybercrime-friendly traffic exchanges.

The post Commercial Windows-based compromised Web shells management application spotted in the wild appeared first on Webroot Threat Blog.

First, this is not a blog about a big corporate breach, or a massive new discovery.  Rather, the researchers at Trustwave gained access to a botnet controller interface (the C&C element of a botnet) known as Pony and revealed the data within. Not surprisingly, as the vast majority of botnets target user credentials, this controller had a good deal of data related to passwords. While 2 million passwords might seem like a lot, it is really a drop in the bucket compared to many recent breaches. Think about Adobe who lost a minimum of 28 million, but is rumored to be closer to 130 million, login credentials to their services. Combine this with  the fact that many people use the same password for all online accounts.

Webroot SecureAnywhere users are protected against botnet and keylogging malware in a number of ways. First, we have great visibility into the threats our users are encountering and in the vast majority of cases are able to instantly identify malicious software, including those which record keystrokes – even commercially available keyloggers. Second, we have layered technology which looks to neutralize applications which aim to record keystrokes or screenshots. Webroot’s Identity Shield looks at over 2 dozen specific tactics used by these applications and prevents data collection from unknown applications.

While the Trustwave blog is interesting from a password strength perspective, as many passwords recorded were very weak, it isn’t groundbreaking news, or even the largest discovery of its kind. What it is, is confirmation that this type of information is highly valuable and that cybercriminals are using all tools available to compromise online user accounts. It is also a good reminder that using a strong password policy, even for your personal accounts, is a good way to improve your security. After all, a compromised password can be fixed by resetting your password.

Read the CNN article on Trustwave’s discovery here: http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/

The post Today’s “massive” password breach: a Webroot perspective appeared first on Webroot Threat Blog.

We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a bogus “Browser Update“, which in reality is a premium rate SMS malware.

Sample screenshot of the landing page upon automatic redirection:

Landing page upon redirection: hxxp://mobleq.com/e/4366

Domain name reconnaissance:
mobleq.com – 91.202.63.75

Known to have responded to the same IP, are also the following malicious domains:
700cams.com
adflyse.biz
android-loads.biz
androids-free.net
androiduptd.ru
androidwapupdate.info
antivirus-updatesup.ru
best-ponoz.ru
bests-cafe.ru
bilmobz.ru
bovkama.ru
chenyezhe.ru
clipsxxx-erotub.ru
critical-mobiles.ru
downapp.mobi
downloadit.biz
downloads-apk-games.ru
ero-home-tube.net
ero-odkl.ru
exmoby18.ru
ffmobistream.ru
ffreemob.ru
filemobileses.ru
flv-criticalnews.ru
galaxy-comp.ru
game-for-androis.ru
gdz-allnews.ru
gosal.ru
imobit.ru
javamix-games.ru
jmobf.ru
jmobi.net
jsfilemobile.ru
jugar-online.ru
kinope4ka.com
lobimob.ru
luganets.ru
mabilkos.ru
market-soft-android.ru
marketandroidplay.ru
mitstoksot.tk
mobi-klik-ok.ru
mobicheck2.ru
mobidick7a1.ru
mobilabs.biz
mobileup-news.ru
mobiseks.ru
mobitraf.net
moblabes.ru
mobleq.com
moblik.net
moblius.ru
moblob.ru
mobqid.ru
mobsob.ru
mobuna.net
moby-aa.ru
mobyboom.ru
mollius.ru
mombut.ru
mp3-pesni.ru
mp3-pesnja.ru
mtr7.ru
muzico-server4.ru
neolemsan.ru
odmobil.ru
odnoklassniki-android1.ru
odnoklassniki-android7.ru
odnoklassniki-androidmobi.ru
odnoklassniki-mobile1.ru
olcocom.ru
old-games.ws
omoby.net
otdacham.ru
pornforjoin.ru
pornushniks.ru
relaxtube.ru
rrmobi.net
s1.krash.net
sexpirat.ru
sfsss.ru
sotsialniiklimat.ru
tampoka.ru
tstomoby.ru
tubevubes.ru
vkoterske.ru
vpleer-server3.ru
vzlomaandroid.ru
waprus.tk
wildmob.net
wwwmobitds.ru
xlovs.ru
xmassne.ru
xmoblz.ru

Detection rates for the multi mobile platform variants:
MD5: a4b7be4c2ad757a5a41e6172b450b617 – detected by 13 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: 1a2b4d6280bae654ee6b9c8cfe1204ab – detected by 4 out of 48 antivirus scanners as Java.SMSSend.780; TROJ_GEN.F47V1117
MD5: 2ff587ffb2913aee16ec5cae7792e2a7 – detected by 0 out of 48 antivirus scanners

Webroot SecureAnywhere users are proactively protected from these threats.

The post Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates” appeared first on Webroot Threat Blog.

In this edition of the Webroot ThreatVlog, Grayson Milbourne talks about the threats that exist online in the holiday shopping craze. As more and more money is spent online, criminals are becoming more skilled at stealing all sorts of personal information, from credit card numbers to identifying credentials. As with all shopping, common sense is necessary, and with the tips and tricks provided, you will be even more protected while finding that perfect gift online.

The post Staying safe while doing holiday shopping online appeared first on Webroot Threat Blog.

The basics
The Ransomware known as Cryptolocker has been prominent in the media lately, and one that we’re asked about often. Ransomware in general is nothing new, we have been seeing ransomware that hijacked your desktop wallpaper demanding payment for several years now, but while the older ransomware was rather easily removed, Cryptolocker has taken ransomware to a new level. What Cryptolocker does is encrypt files (primarily document files but also image files and other file types) on your computer and any network drives that computer has access to using a very strong encryption method and then demands payment with a 72-hour time period in order to get the files decrypted. This works by using public key encryption and there is no way to decrypt the encrypted files without paying the ransom for the private key.

What you can do help prevent getting infected in the first place and minimize the damage
Run up-to-date security software such as Webroot SecureAnywhere. As with any malware, blocking it in the first place is the best defense.

Since Crypolocker is typically installed through malicious email attachments, familiarize yourself (and your employees) with how to identify potentially malicious and suspicious emails. This will not just help prevent against Cryptolocker, this is a delivery method commonly used by all flavors of malware.

Isolate an infected computer from any network drives at the first sign of infection. Unplug the network cable or disable the wireless connection. This is especially important in Enterprise (Business) environments in order to help prevent files on network drives from being encrypted.

Cryptolocker is easily identified by its “Payment Countdown” window

Some Cryptolocker variants also change your desktop background with additional information in case your antivirus has removed the Cryptolocker files and you still wish to pay the ransom to recover your files.

Backup, backup, backup. You should be backing up your essential files anyway, and you could look at Cryptolocker as a brutal reminder why backups are so essential. Off-site or cloud backup is highly recommended, as off-site backup has long been an essential part of any Disaster Recovery Plan. If you are a home user backing up to a removable drive, be sure to disconnect it when not in use since Cryptolocker can encrypt your backup files on the external drive.

 Other Webroot resources on Cryptolocker

 http://images.saas.webroot.com/Web/Webroot/%7bd4d3ba36-c6b8-43f7-944e-19c486dbcd31%7d_Cryptolocker.pdf

https://community.webroot.com/t5/Webroot-Education/CryptoLocker-Malware-What-you-still-need-to-know/ta-p/69057#.Up5vpsRDt1Z

The post Cryptolocker Ransomware and what you need to know appeared first on Webroot Threat Blog.

Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let’s dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side exploits, to users visiting legitimate Web sites.

Sample screenshot of one of the malicious scripts:

Redirection chain: harshimadhaparia.com/libraries/domit/domit/all2.php -> roiauctionsstore.com/templates/beez/1.php -> hxxp://www3.hotzofix.kjyg.com or hxxp://www3.judtn3qyy1yv-4.4pu.com -> hxxp://www1.gtyg4h3.4pu.com/i.html -> hxxp://www1.gtyg4h3.4pu.com/nnnnvdd.html -> hxxp://www1.gtyg4h3.4pu.com/pdfx.html -> hxxp://www1.gtyg4h3.4pu.com/taftaf.html -> hxxp://www1.gtyg4h3.4pu.com/fnts.html -> find-and-go.com/?uid=10088&isRedirected=1

Domain names reconnaissance:
hxxp://www3.judtn3qyy1yv-4.4pu.com – 188.116.34.246
hxxp://www1.gtyg4h3.4pu.com – 188.116.34.246
find-and-go.com – 78.47.4.178

Known to have responded to the same IP (188.116.34.246) are also the following malicious domains:
hxxp://www1.a36p7sillle3u8.4pu.com
hxxp://www1.a8ob5zb0gl0ci3.4pu.com
hxxp://www1.azpbn5279isyhovf5.4pu.com
hxxp://www1.b-2wx8s0z64i30k2j.4pu.com
hxxp://www1.d0okhcwq9mt1lupg3.4pu.com
hxxp://www1.e6nsivn331lw8.4pu.com
hxxp://www1.evz4qr6.4pu.com
hxxp://www1.ftmfuugbx3hj13.4pu.com
hxxp://www1.g3buqxs3.4pu.com
hxxp://www1.gtyg4h3.4pu.com
hxxp://www1.h2qxs1vj3x73w0.4pu.com
hxxp://www1.hknbyl6lbm18-2.4pu.com
hxxp://www1.i-2kf6l3i.4pu.com
hxxp://www1.i-pf8jnyhg6tn43.4pu.com
hxxp://www1.iwywekgu03rpgvzw4.4pu.com
hxxp://www1.j1akhhmw3rzjdcvf.4pu.com
hxxp://www1.j5slm5tom0yr9.4pu.com
hxxp://www1.jccydfg38zi34.4pu.com
hxxp://www1.jxka0hpqxthfm2.4pu.com
hxxp://www1.k78xp1x3.4pu.com
hxxp://www1.l7f5rmwvixm01r.4pu.com
hxxp://www1.ltb8i8sy66i5.4pu.com
hxxp://www1.myf48ql3.4pu.com
hxxp://www1.n82dj5qko2qe2q.4pu.com
hxxp://www1.olf4wmrg6toj6.4pu.com
hxxp://www1.p-76pxg3d.4pu.com
hxxp://www1.pjpgqbu1.4pu.com
hxxp://www1.px0wgrpg3ox769.4pu.com
hxxp://www1.px5qhf32.4pu.com
hxxp://www1.q-3bxzjy6qh9s6gve7.4pu.com
hxxp://www1.q9ux2132yf4u29wt.4pu.com
hxxp://www1.qnilrhnnny6go9.4pu.com
hxxp://www1.s-0natmmjzkqhy7.4pu.com
hxxp://www1.sl5gn3q6g75f8.4pu.com
hxxp://www1.sus3cpv6c0if6.4pu.com
hxxp://www1.sxeyw56ov0qyxtir-5.4pu.com
hxxp://www1.szk0zxdsfy72f3.4pu.com
hxxp://www1.tbt2r99ldyrr6.4pu.com
hxxp://www1.ur8sc24ojzyjr5.4pu.com
hxxp://www1.y48939gqmhrhjw.4pu.com
hxxp://www1.y6vymtqeg345cg.4pu.com
hxxp://www1.y7odtnqghhxziqjv.4pu.com
hxxp://www1.yec2nmr3.4pu.com
hxxp://www1.zk56z207.4pu.com
hxxp://www1.ztrazr0uggov1.4pu.com
hxxp://www2.e0nn25vfmhyreuvtc.apfi.biz
hxxp://www2.nxzdez09py3jv6.apfi.biz
hxxp://www2.p8ipv5zy5iiyt4.apfi.biz
hxxp://www2.q4sji17b.apfi.biz
hxxp://www3.a8c798u76egdul.4pu.com
hxxp://www3.d4kzsrl9f9t4-3.4pu.com
hxxp://www3.flv5yvarxot5.4pu.com
hxxp://www3.g-3biuiylzma2hft.4pu.com
hxxp://www3.hotzofix.kjyg.com
hxxp://www3.j9hdbwok.4pu.com
hxxp://www3.k3dfewr00vok.4pu.com
hxxp://www3.p0k8oz7.4pu.com
hxxp://www3.q3bxxws9ispsz.4pu.com
hxxp://www3.t3rk5zajpzpm4i.4pu.com
hxxp://www3.u-6zklvj2w66448oy9.4pu.com
hxxp://www3.vxqq241.4pu.com
hxxp://www3.xkdav1z3.4pu.com

Detection rates for the malicious scripts, dropped malicious files:
MD5: fe0e411c124ae75dad81f084244098c3 – detected by 1 out of 48 antivirus scanners as Mal/FakeAvJs-A
MD5: 89821fa040ddaa7e3c0c6e250cd67818 – detected by 9 out of 48 antivirus scanners as HEUR:Exploit.PDF.Generic; Exploit:Win32/Pdfjsc.AKB
MD5: b458e58e99d9464d931086e9d9c77501 – detected by 9 out of 47 antivirus scanners as Script/PDF.Exploit; HEUR_PDFJS.STREM
MD5: 2ec944c70459c55280ece012224cfe66 – detected by 9 out of 46 antivirus scanners as Trojan.Script.Heuristic-pdf.gutwr
MD5: e892136518ab2a4ca0e76bf8973d3fc5 – detected by 9 out of 46 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: b4113f99a2c68f7e051b351a846e1886 – detected by 3 out of 46 antivirus scanners as TTF:CVE-2011-3402 [Expl]; Exploit.Win32.CVE-2011-3402.a

Webroot SecureAnywhere users are proactively protected from these threats.

The post Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits – part two appeared first on Webroot Threat Blog.

With social media, now an inseparable part of the marketing expenditures for every modern organization, cybercriminals quickly adapted to the ongoing buzz, and over the last couple of years, have been persistently supplying the market segment with social media metrics performance boosts, in the the form of bogus likes, dislikes, comments, favorites, subscribers, and video/music plays. This process, largely made possible by the massively undermined CAPTCHA bot vs human verification practice, results in automatically registered accounts, or the persistent data mining of malware-infected hosts for accounting data for social media accounts, continues to scale, allowing both individuals and organizations to superficially boost their social media reputation. In this post, I’ll discuss a recently sampled such service, offering an unlimited number of likes, dislikes, comments, favorites, subscribers and video/music plays, that’s either monetizing automatically registered accounts, compromised legitimate accounts, or what we believe they’re doing, a mix of both in an attempt to meet the demand for their services.

Sample screenshots of the service’s offerings:

Not only are such services violating the Terms of Service of the targeted Web properties, they’re also denying them access to revenue streams, potentially undermining the core functionality of the service, namely, an authenticated legitimate human. With more services offering access to compromised social networking accounts popping up on our radars, in combination with commercially available API-supporting, CAPTCHA-bypassing automatic account registration tools, we expect that cybercriminals would continue monetizing this persistent and efficient abuse of a social network’s ToS.

We advise users to be suspicious when receiving social media content from an entity they didn’t opt-in to receive updates/content from — a sign for a possible compromised accounts that have been abused by the type of service discussed in this post — and to enable two-factor authentication, next to any additional security measures in place, offered by the social network in question.

The post How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, SoundCloud and Google+’s ToS appeared first on Webroot Threat Blog.

Next to the ubiquitous for the cybercrime ecosystem, traffic acquisition tactics such as, blackhat SEO (search engine optimization), malvertising, embedded/injected redirectors/doorways on legitimate Web sites, establishing purely malicious infrastructure, and social engineering driven spam campaigns, cybercriminals are also masters of utilizing social media for the purpose of attracting traffic to their fraudulent/malicious campaigns. From the efficient abuse of Craigslist, the systematic generation of rogue/bogus/fake Instagram, YouTube, and email accounts, the process of automatic account generation continues to take place, driving a cybercriminal’s fraudulent business model, naturally, setting up the foundations for upcoming malicious campaigns that could materialize at any point in time.

In this post, I’ll discuss a commercially available automatic account registration tool that’s successfully targeting Tumblr, emphasize on its core features, and discuss tactics through which its users could abuse access to these automatically registered accounts.

Sample screenshots of the commercial license-based tool in action:

Next to its multi-threaded nature, the tool basically possesses every feature an automatic account registration tool has these days. Features like support for proxies (Socks4/Socks5 enabled malware infected hosts), and built-in API based support for one of the major CAPTCHA-solving as a service type of cybercrime-friendly propositions, are poised to ensure the success of any campaign aiming to abuse Tumblr for automatic account registration purposes. How would cybercriminals potentially abuse this access? They will either start monetizing the inventory of automatically registered accounts to those who’d abuse it in a purely malicious way, or launch a campaign on their own, while monetizing the traffic through an affiliate network. The most recent example of such type of abuse was mentioned in a blog post at the Internet Storm Center (ISC), where the cybercriminals were relying on Tumblr redirects for the purpose of exposing users to malware and Facebook phishing pages. The campaign is just the tip of the iceberg in an extensive ecosystem built by cybercriminals for social engineering purposes.

We’ll continue discussing emerging developments taking place within this market segment for automatic account registration tools and will report as soon as new developments take place.

The post Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account registration tools appeared first on Webroot Threat Blog.

The most recent and interesting threats we see are more or less “evolved” forms of previous threats, including those originating from the PC side. People have been “spoofing” parts of apps, such as code, appearance, or digital certificates, since Android malware first started appearing. The MasterKey exploit was a whole new way to modify the app without even having to spoof anything (since this was the exploit which allowed applications to be changed without invalidating the existing digital signature). It’s also very interesting to see how threats like Zitmo or RAT-type apps seem to get better and better at mirroring the PC versions of those threats.

For instance, Zitmo (Zeus in the mobile) seems to always come from the same template, afterwards customized to mimic various authentication or banking apps, similar to the PC version. In general, what are most interesting are those threats which appear to be getting better and better at these techniques considered mainstays of PC malware. We don’t expect to stop seeing these types of developments in many of the different threats seen around the Android landscape.

Our top 5 predictions:

• More PC-side infections ported to Android, especially Ransomware
• Increasingly-sophisticated obfuscation techniques
• Increasingly-sophisticated packing techniques
• Greater focus on social engineering within Android malware
• At least one new exploit similar to the level/severity of MasterKey

Stay protected!
There are many ways to change your habits and use security software to help prevent catching a bug on your Android device. When downloading apps, know where you are getting them from. Though not foolproof, the Google Play Store is still, by far, the safest place to get apps for your Android devices.

Use Android security software to protect your devices, such as Webroot SecureAnywhere. There are many other apps which will provide additional help identifying various risky behaviors, settings, or software on your phone as well. Furthermore, the Android operating system gets more secure and informative every day, allowing users to better understand the permissions and risks behind their apps.

Lastly, keep up on the latest Android news! It’s super easy with all the great news outlets, blogs, and Twitter feeds out there. If it’s hot, new, or just plain interesting, you can count on many tech news outlets, including the Webroot Threat Blog, to post or comment about it.

The post Mobile Security 2014: Predictions appeared first on Webroot Threat Blog.

In a series of blog posts throughout 2013, we emphasized on the lowering of the entry barriers into the world of cybercrime, largely made possible by the rise of managed services, the re-emergence of the DIY (do-it-yourself) trend, and the development of niche market segments, like the practice of setting up and offering bulletproof hosting for a novice cybercriminal’s botnet generating platform. The proliferation of these easy to use, once only found in the arsenal of tools of the sophisticated cybercriminals, tools, is the direct result of cybercrime ecosystem leaks, cracked/pirated versions, or a community-centered approach applied by their authors, who sometimes rely on basic ‘freemium’ marketing models, namely, offering a free and paid/licensed version of their cybercrime-friendly tools.

Not surprisingly, we continue to observe the development of the niche market segment targeting novice cybercriminals, empowering them with botnet setting up services, as well as bulletproof hosting for their command and control infrastructure. In this post, I’ll discuss yet another such cybercrime ecosystem market proposition, that’s differentiating its unique value propositions (UVP) by vertically integrating — offering binding of Bitcoin miners and malware crypting services — as well as offering the option to set up a dozen of well known IRC/HTTP based botnet generating tools.

Sample screenshots of the cybercrime-friendly underground market ad:

The PerfectMoney, Bitcoin, Skrill, WMZ, PayPal accepting service, offers bulletproof hosting servers in Russia and Ukraine, as well as the option to include “pre-rooted” malware infected hosts with each and every setup, as means to give novice cybercriminals a performance boost, helping them setup the foundations for successful campaigns. There are multiple ways through which such services are made commercially available to novice cybercriminals. The vendor could either setup a purely malicious infrastructure, and basically ignore all abuse notifications, then promptly migrate the customer’s base to a new location, upon getting blacklisted, or it can rely on the popular franchise/affiliate-based type of partnership with established hardcore cybercriminal bulletproof hosting providers, outsourcing the very bulletproof process to experienced cybercriminals, in between securing them new customers.

We expect to continue observing a steady increase of international underground market propositions for one-stop cybercrime E-shops, with the vendors behind these services, continuing to directly lower the entry barriers into the world of cybercrime.

The post Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercriminals with bulletproof hosting capabilities – part three appeared first on Webroot Threat Blog.

In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for customers only, enlightening them to everything a cybercriminals needs to know in order to stay secure and anonymous online. The standardized OPSEC offering is targeting novice cybercriminals, and also has an interesting discount based system, offering $10 discounts for every feedback from those who’ve already taken the course.

Sample screenshots advertising the product/standardized training course:

What does the OPSEC manual cover?

• Basic host security
• Setting up Virtual Machines
• Setting up encrypted backups
• Setting up and securely using email clients
• Setting up a firewall
• Basics of OpenVPN and i2p
• Basics of Bitcoin use
• How to configure popular browsers for maximum security and anonymity
• How to use Socks4/Socks5 servers (malware infected hosts)
• How to anonymously use the most popular Web payment processes such as WebMoney, Yandex etc.
• How to securely communicate online using free/public/community tools

Next to the actual manual/standardized training course, the vendor has also set up a cybercrime-friendly community to be exclusively used by his customers, to further discuss related anonymization/OPSEC tactics.

Sample screenshots of the ad promoting the cybercrime-friendly community set up exclusively for customers:

The price for the training package? $40 for the manual, and access to the forum, and $30 for the manual and access to the forum in case the customer provides relevant feedback about the product/training course. Over the years, we’ve seen numerous attempts to standardize knowledge, either through localization (translating the original documents), or through similar training courses aiming to educate cybercrime-friendly ‘knowledge workers’. Although we expect to continue observing such knowledge-based monetization attempts on behalf of cybercriminals, we’re certain that the tactics, techniques and procedures (TTPs) that are truly shaping the success of their fraudulent and malicious campaigns, would not get a mention in such a standardized form.

The post Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC) appeared first on Webroot Threat Blog.

In the latest ThreatVlog from Webroot, threat researcher Marcus Moreno discusses the top threats that affected the vyber world in 2013. From breaches to crypto-locks, we have seen some very malicious code run around out there, but these three take the cake.

The post ThreatVlog Episode 12: Top Cyber Threats of 2013 appeared first on Webroot Threat Blog.

WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they’re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let’s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it.

Sample screenshot of the spamvertised email:

Sample screenshot of the landing pharmaceutical scam page:

Redirection chain: hxxp://203.78.110.20/horizontally.html -> hxxp://viagraphysician.com (109.201.133.58)

We’re also aware of the following fraudulent domains that are known to have phoned back to the same IP (109.201.133.58):
67157d.pharmahimoft.pl
albertacanadatab.in
asaletabla.at
baruchelmedicine.in
bioportfoliotablet.com
biotechviagrahealthcare.com
buygenericspills.com
canadascanadarx.com
canadatab.in
canadaviagras.com
canadawelnesstoronto.com
carehealthtabletspills.ru
careteachers.com
cialismed.com
cialispharmdrone.com
contabdiet.com
dietpharmediterranean.com
dietviagraweight.com
docherbal.in
drugrxmedicine.be

Name servers:
ns1.viagraphysician.com – 178.88.64.149
ns2.viagraphysician.com – 200.185.230.32

The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 178.88.64.149:
ns1.wpdsasya.com
ns1.bioportfoliohealthcaretab.com
ns1.viagraphysician.com
ns1.androidherbaltablet.com
ns1.viagracialalec.in
ns2.viagracialalec.in
ns1.kgvghatm.eu
ns2.kgvghatm.eu
ns1.zwsxfwqn.eu
ns1.worgad.ru
ns1.iald.ru
ns2.iald.ru
ns1.fivere.ru
ns1.gabrue.ru
ns1.nagh.ru
ns1.lonoci.ru
ns1.menono.ru
ns1.xior.ru
ns1.uptras.ru
ns2.uptras.ru
ns1.qatt.ru
ns1.aprpharmacyrx.ru
ns2.aprpharmacyrx.ru
ns1.swoltz.ru

The following fraudulent name servers are also known to have participated in the campaign’s infrastructure at 200.185.230.32:
ns2.medicarepillmedicaid.com
ns1.tabdietmediterranean.com
ns2.viagraphysician.com
ns2.pharmacylevitrapharmacist.com
ns2.viagracialalec.in
ns2.kgvghatm.eu
ns1.zwsxfwqn.eu
ns2.worgad.ru
ns2.fivere.ru
ns1.gabrue.ru
ns2.nagh.ru
ns1.tabletsmedshealth.ru
ns2.menono.ru
ns2.xior.ru
ns2.uptras.ru
ns2.swoltz.ru

We expect that more legitimate brands will continue getting targeted in such a way, with the fraudsters behind the campaign continuing to earn revenue through pharmaceutical affiliate programs.

Webroot SecureAnywhere users are protected from these scams.

The post Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams appeared first on Webroot Threat Blog.

Top 5 Enterprise Threat Predictions for 2014

• Ransomware for the enterprise
• Compromised clouds
• Advanced mobile phishing tactics
• APT’s focus on mobile
• Mobile device linked to major compromise

When thinking about cyber-security and looking back over the years, there is a clear and unfortunate trend which doesn’t show any signs of slowing. The trend is that year over year, more and more cyber-attacks occur while at the same time, the sophistication of attacks continues to evolve. Additionally, a matured cyber-crime as a service (CCaaS) ecosystem has enabled practically anyone to get involved. Combine this with the growing cost of defenses and the reality that many solutions are only somewhat effective and you can see that the feasibility of cyber-security is, well, getting farther and farther way.

Now, I could go into the various factors which are causing this losing battle, such as societies overwhelming desire to pick convenience over security, or the mentality that, ‘it will never happen to me;’ but I’ll save that for another blog. Instead, I’m going to consider the cyber-security events from the past few years and predict the top 5 threats enterprises are likely to face in 2014.

First, I should note that these predictions are not ordered or ranked in any way, they are simply 5 enterprise focused security events you will likely read about next year along with my supporting reasons for the prediction. So let’s get started!

Prediction # 1 – Ransomware for the enterprise
Early in 2013, a new type of ransomware, self-named Cryptolocker, was discovered which included a few very significant and very frightening changes. Unlike older ransomware, which would store the decryption key within the executing binary, Cryptolocker stores the encryption key in their C&C server network and with each new infection, a new key is used. This makes it next to impossible to decrypt files modified by the infection. The other big change is that Cryptolocker doesn’t give you a lot of time to pay the ransom, often around $300, with only 72 hours to comply before the decryption key is destroyed. These tactics have made Cryptolocker the most advanced and most aggressive ransomware discovered to date, however Cryptolocker’s focus remains primarily on individual users which is evident by the distribution tactic of spam email.

Based on Cryptolocker’s tactical advancements and success, it is only a matter of time before an enterprise becomes the target of a similar form of attack. Many people are gladly handing over $300 to regain access to their personal files, imagine what an enterprise would pay to restore its data. My guess is at least, in my best Dr. Evil voice, 1 million dollars!

Prediction # 2 – Compromised clouds
While cloud infrastructure has been around for a while, 2013 saw very widespread adoption as companies looked to save money and to run more efficiently. While the cloud has a number of benefits, additional security isn’t always one of them and not are all clouds are equal. In cases where companies are opting for public cloud infrastructure, they trust the security measures put in place by the cloud hosting service. This basically extends the attackable surface, increases vectors for attack and reduces the overall control a business has to prevent an attack. Of course, there is the option for a private cloud, but for most this option is too expensive and/or overkill for their needs.

As utilizing cloud services becomes the new norm, it will also become a more ideal target for cyber-crime and attack. Consider, if you successfully compromise a cloud hosting provider, you likely gain access to all data within which would include that of dozens if not hundreds or even thousands of companies.

Prediction # 3 – Advanced mobile phishing tactics
Phishing isn’t new by any means, however the utilization of this attack vector continues to grow at record pace while the tactics used continue to evolve. In 2013 we saw new innovative attacks involving the human experience, either over the phone or in person. Waterhole attacks which identify and compromise websites likely to be visited by the primary target. And mobile attacks ranging from phishing SMS messages to rogue and misleading advertisements. Then, of course, there is the mass of phishing spam email contrasted by the ultra-precise spear-phishing attack. The trouble is, phishing attacks are so effective because they pay especially close attention to the human experience and our desire to trust someone we know. When aimed at an enterprise, all an attacker has to accomplish is tricking one individual and research has shown it only takes about 15 targets for this to be guaranteed.

But what about mobile? As today’s workforce continues to shift to mobile devices and platforms, so will the tactics used by attackers. Mobile is a ripe target for attack as the user experience is focused on convenience over security. Combine this with the one touch access and lack of authentication and it is easy to see why I predict new advanced phishing tactics aimed at compromising mobile devices.

Prediction # 4 – APT’s focus on mobile
2013 saw a massive migration to smartphones and mobile OS’s as well as widespread adoption of BYOD; and the cyber-crime community definitely took notice. This past year, Webroot’s mobile research team discovered over 1 million malicious Android apps which is over 1000% growth from the previous year. But compromising a mobile device doesn’t have to start with an app. We’ve seen recent website hacks only modify pages for mobile devices, a tactic avoid detection, but also evidence that mobile is becoming a primary focus. Additionally, there have been numerous new mobile related services popping up in underground markets. Services range from SMS flooding, malicious app creation, mobile botnet building tools and even, and most disturbing, trusted developer credentials which can be used to post apps to major app markets like Google Play.

Because mobile devices contain so much information and very little security or authentication, they will increasingly be the focus for attacks. When considering the planning that goes into today’s APT backed attack, it only makes sense that highly organized cyber-crime gangs and/or state launched attacks will target mobile devices as part of their future attacks.

Prediction # 5 –Mobile device linked to major compromise
My final prediction again relates to mobile, and the reasons are largely expressed in the previous two predictions. There is a clear trend for the adoption of personal mobile devices in the workplace but it isn’t being matched with employee education, policy or security. The reality is that BYOD can be done correctly when four key areas are secured. These are app protection, web protection, data protection and device protection. By securing these areas, personal devices can be used for personal use and also safe to connect to the corporate network.
The trouble however, is that most enterprises are allowing BYOD without proper planning, education or policy in place. This lack of regulation combined with lacking security features for mobile devices will eventually lead to a major compromise.

So, what can your company do to stop these threats? Well, employee education to drive awareness of the types of attacks and their consequences is a good first step. Security solutions have also advanced with better threat awareness, and in Webroot’s case, are harvesting the power of crowds in the cloud to rapidly identify the newest threats. For more information, feel free to shoot me an email at gmilbourne@webroot.com or visit our website at http://www.webroot.com/.

The post Top 5 Enterprise Threat Predictions for 2014 appeared first on Webroot Threat Blog.

The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin mining tools, and predicted that it’s only a matter of time before this still developing market segment starts proliferating with more cybercriminals offering their stealth Bitcoin releases to prospective customers. Not only are we continuing to see an increase in terms of the number of tools offered, but also, some cybercriminals are actually starting to offer the source code for their releases, which, as we’ve seen in the past, has resulted in an increase in ‘vallue-added’ releases on behalf of fellow cybercriminals implementing features based on their perceived value, or through interaction with prospective customers.

What are cybercriminals up to in terms of stealth Bitcoin miners these days? Let’s profile several of the (international) underground market share leading commercially available stealth Bitcoin miners, emphasize on their features, as well as just how easy it is to fraudulently mine Bitcoin/Litecoin these days, with the affected user never really knowing what’s taking place on their PC.

Go through previous research — including MD5s — profiling commercially available stealth Bitcoin mining tools, released throughout 2013:

• New commercially available DIY invisible Bitcoin miner spotted in the wild
• New subscription-based ‘stealth Bitcoin miner’ spotted in the wild
• New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool spotted in the wild
• Yet another commercially available stealth Bitcoin/Litecoin mining tool spotted in the wild
• Yet another subscription-based stealth Bitcoin mining tool spotted in the wild

Sample commercially available stealth Bitcoin/Litecoin mining tool 01:

Sample commercially available stealth Bitcoin/Litecoin mining tool 02:

Sample commercially available stealth Bitcoin/Litecoin mining tool 03:

Sample commercially available stealth Bitcoin/Litecoin mining tool 04:

Sample commercially available stealth Bitcoin/Litecoin mining tool 05:

Sample commercially available stealth Bitcoin/Litecoin mining tool 06:

Sample commercially available stealth Bitcoin/Litecoin mining tool 07:

Sample commercially available stealth Bitcoin/Litecoin mining tool 08:

A peek inside the administration panel of a sampled stealth Bitcoin/Litecoin mining tool:

Sample screenshots of commercially available source code for stealth Bitcoin/Litecoin mining tools:

Sample screenshots of a Bitcoin/Litecoin stealing tool:

Throughout all of 2013, we continued to observe an increase in subscription based stealth Bitcoin/Litecoin mining applications with the vendors behind them emphasizing on the value-added services such as, for instance, maintaining the QA (Quality Assurance) process as well as ensuring that the latest builds of the mining applications remain undetected by antivirus scanners. Evasive tactics that aim to make it harder to analyze these samples, including the detection of Virtual Machines, and other researcher/analyst’s virtual environments, also proliferated. Moreover, a decent percentage of these commercially available stealth mining applications include the ability to remove competing mining applications, indicating that the vendors are not just aware of each other’s existence — international underground market transparency — but also, that they’re trying to gain market share by removing competing mining tools from the affected hosts. Not surprisingly, we’re also aware of commercially available source code for stealth mining tools that’s currently being offered, naturally acting as force-multiplier for more upcoming releases, now that the source code has been publicly offered.

We’ll continue monitoring this developing market segment, and post updates as soon as new developments take place.

The post A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools appeared first on Webroot Threat Blog.

It’s that time of the year! The moment when we reflect back on the cybercrime tactics, techniques and procedures (TTPs) that shaped 2013, in order to constructively speculate on what’s to come for 2014 in terms of fraudulent and malicious campaigns, orchestrated by opportunistic cybercriminal adversaries across the globe. Throughout 2013, we continued to observe and profile TTPs, which were crucial for the success, profitability and growth of the cybercrime ecosystem internationally, such as, for instance, widespread proliferation of the campaigns, professionalism and the implementation of basic business/economic/marketing concepts, improved QA (Quality Assurance), vertical integration in an attempt to occupy market share across multiple verticals,  as well as the re-emergence of known, and well proven cybercrime-friendly concepts like standardization and DIY (do-it-yourself) type of propositions.

Eager to learn more? Keep reading!

This comprehensive summary will answer the following questions:

• Which were the most prolific malware/client-side exploits serving/social engineering driven campaigns, that popped up on our radar, what exploitation tactics did they rely on, and what made me so successful in the first place?
• Which were the most commonly abused trusted/legitimate/reputable company names throughout 2013?
• Which was the most efficient concept through which cybercriminals monetized their campaigns?
• Why did the bad guys resurrect old school cybercrime-friendly concepts in 2013, and were they successful in their re-implementation?
• Is it easier to become a cybercriminal in 2013, than it was in 2012?
• What were the most noticeable examples of malicious/fraudulent ‘innovation’ introduced by the bad guys in 2013?

Let’s list the cybercrime trends that shaped 2013, and discussing each of them in-depth, to further elaborate on our observations.

Top Cybercrime Trends That Shaped 2013

1. The rise and fall of Paunch and the market leading Blackhole Web malware exploitation kit – The Blackhole Web malware exploitation kit, represented the primary growth factor for a huge percentage of the successful client-side exploits serving campaigns throughout 2013, until Paunch — the kit’s author — and his gang got arrested, leading to an evident decline in malicious Web activity, which was once attributed to the sophistication and systematic updates pushed to the kit’s customers. Not only did the Blackhole Web malware exploitation kit occupy the largest share of malicious Web activity, but also, the ‘vertical market integration’ done by Paunch in the face of his managed ‘value-added’ script/iframe crypting sevice, further expanded the kit’s author market share of malicious Web activity throughout the year. Naturally, we’ve kept a decent percentage of these back then circulating in the wild, malicious campaigns, under close monitoring, and successfully profiled and protected against the following campaigns, affecting major trusted/legitimate/reputable brands – two instances of Verizon Wireless themed campaigns, the BBB (Better Business Bureau), rogue bank reports themed campaign, rogue Ebay purchase confirmations, AICPA, U.S Airways, two instances of ADP themed campaigns, EFTPS, Intuit, LinkedIn, PayPal, FedEx, Amazon, Facebook, IRS, two instances of rogue Wire Transfer themed campaigns, Data Processing Service, CNN, and the BBC, were all impersonated to participate in client-side exploits serving and malware-dropping campaigns, relying on the Blackhole Web malware exploitation kit. Despite the existence of competing Web malware exploitation offerings, that continue to receive updates and offer support in 2013, Blackhole Web malware exploitation kit’s leading market share attracted the necessary law enforcement attention, ending an era of a monetized, efficiency-oriented client-side exploitation process that has affected millions of users over the year. Due to the easy to anticipate demand for a quality and sophisticated enough competing offering, we believe it’s only a matter of time that current market segment offerings will either reach the sophisticated of the Blackhole kit, or a new market entrant will once again lead the segment with its leadership market share position in 2014.
2. The continued development of the TDoS (Telephony Denial of Service) market segment – 2013 marked an important year in the development of an extremely popular within Russia/Eastern Europe market segment, the TDos (Telephony Denial of Service) market segment. Thanks to a lethal combination of managed services, and commercially available DIY (do-it-yourself) TDoS tools, unethical competition and average cybercriminals continued launching TDoS attacks against the competition, or prospective victims in an attempt to deny them the ability to realize that they’re about to get virtually robbed, with the practice when performed in a ‘perfect timing’ fashion, successfully undermining the phone/SMS based suspicious transaction verification process where applicable. The market further developed thanks to the ‘vertical integration’ applied by DDoS (Distributed Denial of Service) vendors, who also started offering TDoS attack capabilities to prospective customers. With the ease of obtaining compromised SIP accounts at legitimate providers, their lack of implemented self-policing processes, as well as the prevalence of DIY TDoS tools abusing legitimate services such as Skype, ICQ or a mobile carrier’s mail2sms feature, cybercriminals would remain in perfect position to continue launching this type of attacks, in 2014.
3. The proliferation of PUAs (Potentially Unwanted Applications), successfully infiltrating major ad networks – Potentially Unwanted Applications (PUAs) continued representing an ever-green market segment, primarily driven by visual social engineering campaigns, in an attempt to trick users into installing privacy-violating applications on their hosts. Throughout 2013, we kept on a short leas, a decent percentage of the most prolific PUA campaigns, whose traffic acquisition tactics relied on unethical use of major ad networks for the purpose of displaying catchy ads. Some notable examples of PUA families that we kept track of, and protected our users against, included, but are not limited to - iLivid’s ‘Searchqu Toolbar/Search Suite’ PUA, the SafeMonitorApp PUA, the KingTranslate PUA, the ‘Oops Video Player’ PUA, two instances of InstallCore PUA pushed campaigns, two instances of Somoto.BetterInstaller PUA, the InstallBrain PUA, the Bundlore PUA, the Mipony/FunMoods Toolbar PUA, the EzDownloaderpro PUA, the SpyAlertApp PUA, and the BubbleDock/Downware/DownloadWare PUA.
4. Managed cybercrime services continued professionalizing and implementing basic business concepts in order to attract new customers – Throughout 2013, we continued to observe an increase in managed cybercrime-as-a-service type of propositions, with the vendors behind the services, ‘innovating’ by filling in market niches, and consequently developing new market segments that we’ll continue to closely monitor in 2014, due to the natural competition that will arise from the existence of these newly launched services. Next to ubiquitous for the cybercrime ecosystem managed services like script/iframe crypting, DIY (do-it-yourself) Web based malware crypting as as service, or the recently emerged ‘bulletproof botnet hosting+setting up‘ type of services targeting primarily novice cybercriminals, the bad guys also ‘innovated’ in the context of launching never before (publicly) released managed self-service type of products/services such as, for instance – managed ransomware services, DIY automatic Web site hacking services, hacked/compromised shells as a service, cybercrime-friendly redirectors generating as a service, as well as Operational Security (OPSEC) oriented propositions for non-attributable SIM cards, whose destruction once utilized for fraudulent/malicious activity could be requested as a service.
5. Evident increase in cybercrime-friendly affiliate networks for cross-mobile-operating-system (OS) malware - In 2013, we observed a logical development within the cybercrime ecosystem, namely, the general availability of affiliate networks for mobile malware, as a way for cybercriminals to create a win-win-lose scenario for them, the network’s participants, an the prospective victims. Taking into consideration efficiency, sophistication, and revenue-sharing schemes, we expect to continue observing an increase in such type of affiliate networks, monetizing malware infected mobile devices, like the one we profiled earlier this year.
6. The re-emergence of cybercrime-friendly traffic exchanges, now exclusively supplying ‘mobile traffic’ for malware conversion – Underground market traffic exchanges have always been an inseparable part of the traffic acquisition of the modern cybercriminal. However, thanks to the fact that over the last couple of years, these very same cybercriminals started specializing in related traffic acqusition tactics such as malvertising, RFI (Remote File Inclusion)/SQL injections, blackhat SEO (search engine optimization), direct compromise of high-trafficked Web sites, and social engineering driven spam campaigns, resulted in a modest decline of sophisticated traffic exchanges like the ones we “got used to” to observe over the years. It didn’t take long for the concept to re-emerge, with an interesting twist. In 2013, we not just observed an increase in the public availability of such traffic exchanges/marketplaces, but also, the direct offering of ‘mobile traffic’ to be later on converted to infected mobile devices, by exposing them to malicious/fraudulent content tailed to mobile users only.
7. Mobile spammers continued developing new cybercrime-friendly tools, signaling that the market segment is alive and well – With SMS increasing, a logical question emerges in the mind of the targeted recipient – how do the spammers know my mobile number? Throughout 2013, we continued to actively monitor this market segment, providing factual evidence on the prevalence of DIY mobile number harvesting tools, DIY tools for cost-effective validation that these numbers actually work, as well as managed services capable of supplying spammers with geolocated mobile numbers, potentially improving the success of their campaigns, thanks to the basic targeted marketing that could be applied to them. Thanks to the general/commercial availability of these tools, mobile spammers would continue to be in a perfect position to launch successful social engineering driven SMS/MMS based campaigns.
8. Cybercriminals ‘innovated’ within the flourishing market segment for fake IDs, passports, utility bills, certificates and diplomas  - The demand and supply for fake IDs, passports, utility bills, certificates and diplomas, continued to grow throughout the year, with the cybercriminals behind this ever-green cybercrime ecosystem market segment, actually ‘innovating’ with efficiency-oriented mentality in mind. Case in point – a service for fake scanned documents, that possess a database of passport-sized photos of real people, that fully randomizes the scanned output from a technical perspective, in an attempt to prevent the detection of an entire set of automatically, on-the-fly generated fake documents while using it. The concept marked a new milestone in the market segment, thanks to the utilization of the ecosystem-wide, efficiency-oriented tactic, with QA (Quality Assurance) elements in place. From a unique value proposition (UVP) in 2013, the concept will inevitably get widespread adoption across competing services, further undermining the remote authentication process relying on scanned documents as the primary means of verifying the identity of a user/customer.
9. Facebook themed malicious campaigns, including the ubiquitous “Who’s Viewed Your Profile” privacy-invading campaign, exposed millions of users to rogue applications, privacy-violating browser extensions, Android/Windows adware/malware – Popularity has always been proportional with a decent degree of brand-associated malicious and fraudulent activity online. In 2013, cybercriminals systematically and efficiently targeted Facebook users, with multiple campaigns, exposing them to a cocktail of malicious/privacy-violating cross-platform ‘releases’. Multiple campaigns were launched, and naturally profiled and disrupted. For instance, the fraudulent ‘Facebook Profile Spy’ themed campaign, the fraudulent ‘Rihanna & Chris Brown S3X Video’ campaign, the spamvertised ”Friend Confirmation Request’ campaign, followed by yet another spamvertised “You have friend suggestions, friend requests, and photo tags’ themed campaign, and the massive ‘Who’s Viewed Your Facebook Profile’ campaigns, that exposed over 1 million of Facebook’s users to fraudulent and malicious content.
10. Hacked accounts and compromised-hosts-as-a-service type of underground market propositions, continued proliferating – The steady supply of hacked-PCs-as-a-service and compromised-accounts-as-a-service, that we observed in 2013, continues to result in the inevitable commoditization of these underground market items . We attribute this trend, to the general availability of DIY/public/leaked and, of course, affordable commercially available malware/botnet generating tools, empowering novice cybercriminals, who’d later on seek profitable ways to monetize the fraudulently obtained accounting data/actual access to hacked/compromised hosts. Naturally, this ongoing commoditization is poised to lower down the prices of these items, with only a small number of vendor commanding high prices, largely relying on the customer’s understanding/situational awareness in terms of the undergound market’s transparency model.
11. Gamers got targeted through several cybercrime-friendly tools and services selling direct access to their data mined/brute-forced accounting data – Throughout 2013, gamers were the targets of cybercriminals empowering fellow cybercriminals, not just with DIY brute-forcing/spamming tools, but also, actual access to compromised accounting data for the most popular gaming platforms. The niche market segment, gained the attention of cybercriminals, who relying on basic marketing concepts such as segmentation, started monetizing it, while relying on proven TTPs, such as platform/Web site specific data harvesting, brute-forcing, or plain simple data mining of a botnet’s ‘infected population’ for accounting data.
12. ‘Routine’ spam campaigns with malicious attachments systematically rotating the impersonated brands, were an every day reality – In 2013, we intercepted tens of millions of purely malicious emails, whose reliance on good old fashioned social engineering tactics, in combination with the systematic rotation of the impersonated trusted and legitimate brands, empowered cybercriminals with the necessary ‘infection rates’ to maintain their botnets fully operational. Which brands got impersonated in these campaigns? FedEx, two instances of BofA themed campaigns, ADP, American Airlines, DHL, FedWire, two instances of Citibank themed campaigns, Vodafone, NYC’s DMV, three instances of Vodafone U.K themed campaigns, Westminster Hotel, iGO4, two instances of iPhone themed campaigns, O2, two instances of T-Mobile themed campaigns, Xerox, two instances of WhatsApp themed campaigns, HSBC, T-Mobile U.K, as well as multiple generic spamvertised malware campaigns – Changelog themed campaign, Helicopter Order themed campaign, Magic Malwaware spam run, Export License Payment, Unsuccessful Fax Transmission, Export License Invoice, FW:File themed campaign, Important Company Reports, Annual Form STD-261 themed campaign, and an instance of the October’s Billing BAC themed campaign.
13. Money mule recruiters continued ‘innovating’ – With risk-forwarding still representing an inseparable part of the cybercrime ecosystem even in 2013, throughout the year we observed one interesting ‘innovation’, once again, efficiency-driven cybercriminal’s concept related to the processing of Western Union themed transfers, followed by another interesting, this time, a very persistent and prolific high-profit margins oriented money mule recruitment campaign, targeting company owners. These cases lead us to believe that the ubiquitous risk-forwarding practie relying on gullible mules, will continue to mature in terms of new value-added service by major money mule recruitment syndicates, whereas they’d still rely on legitimate cross-country based hosting infrastructure for the actual recruitment pages/management interfaces.
14. Spam-friendly bulletproof SMTP servers made a comeback – Yet another trend that we observed in 2013, was the re-emergence of the bulletproof cybercrime-friendly SMTP server as a service, a surprising resurrection of an old, but proven tactic applied by cybercriminals who’d want to establish ‘touch points’ with prospective victims through email messages. Not only were vendors filling in the re-emerging market niche, but also, some were vertically integrating/adding related value-added services, in an attempt to either position themselves as one-stop-Eshops or occupy a bigger market share within the entire market segment.
15. DIY automatic account registration tools continued attracting the attention of vendors filling in the niche market segment – The automatic generation of rogue/bogus/fake accounts continued representing, continued representing a growing market segment, with multiple tools getting released during the year, affecting popular Web properties, such as, for instance, Youtube, Tumblr, Instagram, Russian and major international free email service providers. The continued development of this market segment, naturally, resulted in an anticipated increase in cybercrime-friendly ‘social media boost’ type of propositions, largely relying on a combination of, both, legitimate/compromised accounts, as well as automatically registered ones.
16. Event-based social engineering campaigns materialized in the face of the Boston Marathon Explosion, the Fertilizer plant explosion in Texas, as well as the an UNHCR-themed fraudulent campaigns – Cybercriminals have never been strangers to the concept of event-based social engineering attacks, in an attempt to increase the click-through rates of their fraudulent and malicious campaigns. On several occasions throughout 2013, we profiled such type of campaigns, that were basically a timely response to a major, newsworthy event, or a geopolitical situation. Case in point are the Boston Marathon Explosion, the Fertilizer plant explosion in Texas themed campaign, as well as the Syrian/UNHCR themed fraudulent campaign.
17. Blackhat SEO (search engine optimization) continued getting the necessary ‘innovation boost’ to remain a profitable cybercriminal’s endavour – In 2013, blackhat SEO (search engine optimization) continued representing a maturing market segment within the ecosystem, with more products and services getting released by cybercrime-friendly vendors. Still relying on an ever-green market segment, namely, the market segment for hacked/compromised shells as a service, blackhat SEO still represented a major traffic acquisition tactic in the arsenal of the average cybercriminal, looking for efficient ways to abuse the World’s major search engines. From the commercial availability of managed blackhat SEO services, the release of features-rich Web-based DIY doorways management platforms, Windows based hacked/compromised shells management tools, hacked/compromised shells interaction tools, to the QA (Quality Assurance) oriented released aiming to get rid of competing Web shells that could be located on the same host, that the cybercriminal is using, the market segment would continue flourishing in 2014, as well.
18. A market segment for stealth, subscription-based, commercially available Bitcoin/Litecoin mining tools, emerged – 2013 marked an important year in terms of the market valuation, and the natural response courtesy of the cybercrime ecosystem, of the popular P2P based E-currency, Bitcoin. Keeping a close eye on the developing market segment, we profiled some of the market leading, stealth Bitcoin miners, offering an inside peek through the eyes of the prospective cybercriminal, on this way to monetize hosts he has access to, by converting them into Bitcoin mining zombies. The market is poised to continue expanding, with more vendors, and subscription-based services continuing to pop-up on our radar, and we expect the practice to get an even wider cybercrime ecosystem adoption, in 2014.
19. Targeted attacks continued taking place, with prospective NATO job applicants as the primary target in a sampled campaign - Targeted attacks continued taking place in 2013, with multiple high-profile targets, being the victim of specifically crafted emails targeting current/potential employees of these organizations/companies. Case in point, is a NATO (North Atlantic Treaty Organization) sensitive information soliciting campaign, which we connected to historical Black Hole Exploit Kit malicious Web activity, indicating that the cybercriminals behind it were either multi-tasking, or used to share the same infrastructure during both campaigns.
20. The DDoS for hire market segment continued maturing, with vendors starting the ‘vertically integrate’ by also offering TDoS services – In between the multiple “DDoS for hire” services that we were tracking during the year, one made a largely anticipated vertical integration move, namely, it added TDoS services to its portfolio, in an attempt to position itself as one-stop-Eshop for a Denial of Service Attacks. Driven by a decent supply of DIY malware/botnet generating tools, possessing the standard/modular DDoS functionality, we anticipate that DDoS for hire and TDoS would continue proliferating in 2014.
21. Cybercriminals innovated in the form of sophisticated server-based mass iframe embedding platforms – In 2013, cybercriminals demonstrated their ambitions to ‘go after the server’ instead of ‘going after the Web site’, by releasing two platform-based type of cybercrime-friendly releases, namely, an iframe embedding stealth Apache 2 module, as well as compromised FTP/SSH account privilege-escalating mass iFrame embedding platform. Despite the platforms’ evident sophistication, and potential to cause efficient, widespread damage, the general availability of Google Dorks based type of mass Web site hacking/compromise based type of tools, will continue contributing to the active exploitation of the “Long Tail’ of the Web, resulting in an extremely favorable, choice/preferences driven type of market segment, allowing cybercriminals to quick scale their attempts to compromise as many Web sites, as possible.
22. Pharmaceutical scammers continued impersonating major trusted, legitimate, and reputable brands – From Facebook, to GMail and WhatsApp, in 2013, pharmaceutical scammers continued enticing users into clicking on the fraudulent links found in spam emails, exposing them to (supposedly) exclusive bargain deals, whereas in reality, the customer is actually bargaining with his health, as it’s counterfeit pharmaceutical items, that the cybercriminals are trying to sell. Despite the numerous take down operations of pharmaceutical scam Web sites throughout the year, performed by law enforcement across the World, cybercriminals continue to enjoy a bulletproof type of hosting infrastructure for their fraudulent propositions, largely made possible thanks to the services of bulletproof hosting providers, some of which have been operating within the cybercrime ecosystem, for over a decade.
23. Rogue online casinos represented a decent proportion of spam campaigns aiming to trick users into installing Potentially Unwanted Applications (PUAs) on their hosts – Throughout the year, we continued intercepted hundreds of thousands of emails, enticing users into into joining rogue online casinos, by offering them discounts, or entry bonuses. Naturally, the fraudsters behind these campaigns, were tricking them into installing W32/Casonline, a well known family of PUAs (Potentially Unwanted Applications), that we’ve also extensively profiled in the past.
24. The Android OS was under fire from DIY mobile malware binding/generating tools that leaked into the wild, next to the commercially available Android malware bots released in 2013 – Cybercriminals were busy releasing DIY mobile malware binding/generating tools, sensitive information stealers, and Android-compatible botnet operating tools, further fueling malicious mobile malware activity. With these tools, being the tip of the iceberg in an ecosystem dominated by cybercrime-friendly underground marker traffic exchanges, offering exclusive access to mobile traffic only, in combination with proprietary mobile malware releases, and social engineering campaigns at Google Play, relying on data mined accounting data, cybercriminals are perfectly positioned to continue capitalizing on Android’s growing market share.
25. Greed-driven cybercriminals continued selling access to Russian/Eastern European malware-infected hosts – What was once considered a virtually impossible scenario, namely Russian/Eastern European cybercriminals, selling access to Russian/Eastern European malware-infected hosts, is today’s reality, with several services that we’re currently aware of, doing exactly the same. We expect that more cybercriminals will attempt to achieve fraudulent assets liquidity, namely, attempt to monetize the access to these hosts as quickly as possible, leading to more such services in 2014.
26. The bulletproof cybercrime-friendly hosting market segment continued growing to meet the never-ending demand – Thanks to a mix of a purely malicious bulletproof hosting infrastructure, in a combination with legitimate infrastructure, the market segment for bulletproof hosting services, continues maturing, even in a post-Russian Business Network world, with the market segment poised to grow, with the vendors continuing to add related ‘valued-added’ features within their portfolios.
27. 419 advance fee scammers remained pretty active - Two of the most interesting cases of 419 advance fee fraudsters that we intercepted throughout 2013, were the abuse of CNN’s ‘Email This’ feature, a practice conducted by 419-ers in the past, case in point, the abuse of Dilbert.com and NYTimes.com, as well as ‘clever’ tactic to pop-up on an Android user’s Calendar app.
28. Mass iframe injections continued taking place, with government Web sites internationally falling victim to the efficiency-oriented attacks – The good old fashioned mentality “Who’ll bother attacking my low profile Web site?” has become totally irrelevant in 2013, with cybercriminals relying on DIY based type of mass Web site exploitation tools, or on sophisticated platforms. Throughout 2013, we intercepted a variety of client-side exploits serving Web sites, a trend we expect to continue observing in 2014, in particular high-page ranked/high-profile Web sites.

The post Cybercrime Trends 2013 – Year in Review appeared first on Webroot Threat Blog.

Top Predictions for 2014

• FBI/ICE MoneyPak
• Cryptolocker
• Rogues

As this year comes to a close we’ve seen some measurable progress on the infiltration techniques for malware. We’re going to give you some insight into some of the top threats of 2013 and what it could mean for 2014.

FBI/ICE MoneyPak

We saw some frightening improvements with Ransomware this year. FBI/ICE MoneyPak or Win32.Reveton was a huge hit to the PC community. Although first seen in 2012 it wasn’t until 2013 that it was tweaked to be one of the most annoying and difficult Ransomware to remove. Once dropped on your computer and executed, either by email attachment, “video codec” (or the like), it eliminates all the safemodes, taskmanager and shows nothing but this screen. You have no options to launch any applications like system restore, regedit as the explorer shell hijacked. Most of these also start themselves in new user accounts so the only removal is to be blocked at dropped by your Anti-Virus or boot to a linux disc and remove it there. Since this is still super effective (especially zero day variants) against most anti-virus I would expect to see more of this. I foresee naming changing and the typical scare tactics text of “violations” to change as once more and more people become educated on these threats its really easy to just slap on a new image and text and fool you again.

Cryptolocker 

Not a good sight to see

This new Cryptolocker that’s got everyone in a scare is no joke. Once on your machine this Ransomware will use about 10% CPU power to encrypt all your documents unnoticed (*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpe, *.jpg, *.avi, *.mp3, *.wma, *.wmv, *.wav, *.divx, *.mp4, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c).

Once it’s encrypted all files found on your local drives as well as mapped network drives it will then show you the above screen. This isn’t like previous versions that stored the decryption key in the initial drop, but instead has the key created and stored on a remote server and the key is different with every unique infection. This leaves you with little to no recourse unless you have a back up or a system restore point saved. Shadow Explorer is a lovely tool that will allow you to restore all files that you had at any given restore point using the windows built-in Volume Shadow Service (Vista/7/8 only). Be warned however, this only works on files stored on the same hard drive the operating system is on so if you lost files on other slave drives in your box or network drives then you have no option but to pay. Also  a growing percentage of the Cryptolockers we’ve seen are now executing this command off the bat:

“C:\Windows\SYsWOW64\cmd.exe” /C “C:\Windows\Sysnative\vssadmin.exe” Delete Shadows /All /Quiet

This completely removes all hope of using tools like Shadow Explorer. Expect to see plenty more Cryptolocker in the future, and expect them to pack more tricks to prevent you from using tools to restore files and prevent Anti-virus from detecting them.

Rogues

We saw some impressive improvements in Rogues over the year 2013. Not only are the malware authors putting more effort into the interface to make it more realistic, but they’re even taking pictures of you! Specifically we came across some samples that if you didn’t pay in 10 minutes or so it would actually capture pictures using the built-in webcam. It claimed that “detected viruses took these pictures and would send them to unauthorized users.” However, we saw no network traffic other than the initial drop of components. What I expect to see in the future is a merge of this and cryptolocker techniques. Given the extreme violation of privacy that taking unauthorized pictures with the webcam poses I can definitely see variants actually threatening to distribute this data as leverage to win over the ransom.

If you have any questions or comments please let us know!

The post Top consumer security predictions for 2014 appeared first on Webroot Threat Blog.

Over the Christmas period, we here at Webroot  have noticed a large amount of Zeus infections that are spoofing the Bitdefender name.

While infections spoofing AV companies aren’t unusual, it’s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone!

The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website.

Infection Information:

• File size is normally around 200-300kb
• It’s located in one path of the users appdata folder with a random path+file name
• C:\users\testPC\Appdata\<random letters>\<random letters.exe
• Usually dropped via an exploit kit (Blackhole being the most popular)
• However, it has also been seen attached to Spam emails
• Can disable Windows Firewall and Security Center
• Has the ability to connect to a remote server to download updates
• Can download other infections

Behaviour:

This infection can get onto a user’s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file.

Unless the user is very alert, they typically won’t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up.

The first is a registry key which points to the infection directly [1]
The second is a fake Security Center update scheduled task [2]
The third  is to create a service that auto starts again point to the infection [3]

1. hklm\software\microsoft\windows\currentversion\run   “C:\Users\User\Application Data\Obunat\ongekie.exe”
2. %windir%\tasks\ SECURITY CENTER UPDATE – 4048458695.JOB
3. hklm\system\currentcontrolset\services\securitycenterserver673348880   U5″C:\WINDOWS\system32\igizhaot.exe” -service “C:\Users\User\Application Data\Obunat\ongekie.exe”

After this, the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker/ICE and other Rogue AV`s)

Due to the large number of variants, I won’t go through all the behaviours, but generally the infection route follows one of the patterns above. This infection can disable the Windows security center or modify the Firewall settings to allow remote access to the PC.

Examples:

In total, we have seen over 40k files and this is increasing every hour. Most of the files have a digital vendor that is close to the real version (shown below). As you can see from the screenshot above, a number of the files are pretending to be Java updates.

BitKefender S.R.L. with 869 unique MD5`s
BitNefender S.R.L.|BitNefender Antivirus Scanner with unique 19,305 MD5`s

Removal:

Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector.

As mentioned earlier, this infection has also been seen to be spread by email. It is advisable to use an email provider that has good SPAM filtration. Google and Microsoft mail services are efficient at blocking these emails.

Always be alert to any email attachments, even if they’re from friends/relatives, and especially executable files that are inside a zip file. Over the Christmas period, we have also noticed a targeted attack from malware authors using well known store names lie Costco, Walmart, etc. in spoof emails.

Since SecureAnywhere doesn’t rely on traditional definitions, we can react instantly to this new trend of Zeus. Webroot SecureAnywhere can safely block this infection. Likewise, if installed on a pre-infected PC, Webroot SecureAnywhere can remove the infection.

The post Zeus Infection Spoofing Bitdefender AV appeared first on Webroot Threat Blog.