Botnets « Risk Analytics

Archive for the ‘Botnets’ Category

New and Dangerous Zeus Variant hitting users Bank Accounts

Wednesday, August 11th, 2010

A new and dangerous variant of the Zeus trojan has been discovered that uses a complex, highly skilled methodology to empty victims bank accounts.

Primarily hitting in the UK in the month of July, a new variant of Zeus is using web exploits, a money mule network and a highly skilled back-end command and control system to steal well over one million dollars from victims bank accounts.

The new variant, dubbed Zeus version 3, is now using encryption via https to communicate with the command and control networks. The initial exploit that infects users systems are coming from on-line advertising banner ads and legitimate websites that have been compromised.

Few anti-virus vendors are able to mitigate the attack and most intrusion prevention systems will have a difficult time detecting valid https traffic from the Zeus command and control due to the encryption being utilized.

Once user systems are compromised and under the control of the cyber-criminals, a network of “money mules” are used to transfer the funds from the victims accounts. Money mules are hired by cyber criminals posing as legitimate business companies that pay fees to recruited users for transferring funds.

This complex network of web based exploits, encryption and the theft of small dollar amounts that stay under the radar of anti-fraud systems at banks make this exploit extremely dangerous.

There are ways to mitigate systems and users against this exploit.

RiskAnalytics Cyber-RiskTools can actively block Zeus command and control activity in real time and escalate information on compromised systems to administrators in real time.

http://www.riskanalytics.com/cyberrisk.htm

Tags: bank fraud, Botnets, cyber crime
Posted in Botnets, Cyber Risk Management, Email Scams, Technical Safeguards | No Comments »

Microsoft confirms zero day outbreak that can effect SCADA systems

Monday, July 19th, 2010

Microsoft has confirmed the presence of a zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw.

Security shortcomings in the Windows shortcut (.lnk files) are being exploited by the Stuxnet rootlet, an information stealing threat that targets industrial and power plant control systems. The malware – which has been detected in the wild – executes automatically if an infected USB stick is accessed in Windows Explorer.

All versions of Windows – including Win XP SP2, widely used despite the discontinuation of further security updates earlier this month – are vulnerable. Disabling Windows AutoPlay and AutoRun – the normal defense against malware on USB sticks – has no effect.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives.

Additional information can be found on the Internet Storm Center site: Click Here.

Tags: malware, scada, windows
Posted in Botnets, Cyber Risk Management, Physical Safeguards, Technical Safeguards | No Comments »

Is it possible to measure IT security success?

Friday, May 28th, 2010

It is a commonly held principle in many areas of business that if you can’t measure something “quantitatively”, it will be difficult to raise the quality objectively. The applicability of this statement to the world of IT security is clear. Without having some form of metrics in place, it is tough, if not impossible, to judge whether security is getting better over time. Indeed, it is probably fair to say that many organisations have only one way to assess security – namely, “did anything go wrong” – but this is hardly a metric for the forward-looking.

Meanwhile, of course, the drivers for proactively monitoring ’security’ and the associated effectiveness of security solutions are becoming increasingly high-profile. Regulatory pressures on organisations to secure their operations are more explicit than in the past, while customers and shareholders are less prepared to tolerate IT security breaches. The continuing spread of legislation dictating that organisations actively notify affected parties when data is potentially lost or at risk is certain to add to the pressure to demonstrate that security measures are properly established.

This is exactly what RiskAnalytics Cyber Risk Tools does. It monitors and defends in real time but also offers a wealth of quantifiable information on exactly which way is IT security headed in an organization. Is it getting better or worse? More importantly from a productivity standpoint, the system will tell you what areas represent the largest risk to the organization and thus IT should focus efforts to “clean up” those issues first.

We have many clients that when they started with us, they would swear their network was clean, in reality, most are massively infected with malware and employees often engage in electronic policy violations that can lead to information leakage.

CRT will alert in real time to security and policy issues that face an organization. Over time, the combination of real time alerting of events, shunning malware and addressing user policy issues will lead to a measurable reduction in security issues.

Tags: IT Security, measurement metrics
Posted in Administrative Safeguards, Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Physical Safeguards, Technical Safeguards | No Comments »

Microsoft bypasses kernel update on root kit infected machines

Friday, April 16th, 2010

Microsoft’s latest batch of patches contains a kernel update designed not to install on machines infected with a rootkit. This really highlights the case that the machine that never gets infected in the first place is the best policy.

The move is designed to prevent the confusion that occurred when one of the patches released in February resulted in a Blue Screen of Death and continuous reboot cycles on some Windows XP machines.

Microsoft copped a fair bit of criticism for the incident before the cause was pinned down to the interaction between the hard-to-detect Tdss rootkit and a Windows kernel security update. Rootkits are a type of malware that attempt to avoid detection by anti-virus scanners by burying themselves in the likes of Windows kernel code.

Redmond’s April patch batch also contains a Windows kernel patch. In an effort to prevent the same snafu as February, Microsoft is using technology designed to prevent the update from installing onto malware-compromised machines.

RiskAnalytics monitoring and network defense products are designed to prevent workstations from getting infected in the first place through a combination of real-time monitoring and by-directional shunning of aggressor IP addresses.

Tags: cyber crime, patching, rootkits
Posted in Administrative Safeguards, Botnets, Cyber Risk Management, Technical Safeguards | No Comments »

Drive-by java execution attack

Wednesday, April 14th, 2010

A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle’s Java virtual machine, which is installed on hundreds of millions of computers worldwide.

The site, songlyrics.com, is serving up javascript that invokes the weakness disclosed last week by security researcher Tavis Ormandy. After determining that the bug made it trivial for attackers to remotely execute malicious code on end-user machines, he said he alerted Java handlers inside Oracle’s Sun division, but they decided no patch was necessary outside of the next update release scheduled for July.

Songlyrics.com reaches out to another domain, assetmancomjobs.com, for a malicious JAR, or Java Archive. This site was most likely compromised by SQL injection.

The bug in the Java Web Start component has been confirmed exploitable on all recent versions of Windows.

The ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components and the lack of a patch should concern most users. The vulnerability has existed since April 2008, when Sun introduced the Java Web Start feature in Java 6, update 10.

Having a comprehensive system in place to monitor and block attacks like these are key. RiskAnalytics Cyber Risk Tools can accomplish that very thing.

Tags: cybercrime
Posted in Botnets, Cyber Risk Management, Technical Safeguards | No Comments »

Energizer Site Malware highlights the risks in trusting others to vet their site

Tuesday, March 23rd, 2010

Energizer site still plagued by data-stealing trojan

The maker of Energizer brand batteries is continuing to serve its customers a file laced with a data-stealing trojan more than 24 hours after the company was notified of the threat and almost two weeks after it promised to fix the problem.

That means that 13 days after a contrite-sounding Energizer Holdings pledged to purge the trojan from its offerings, the company was continuing to distribute the file. And even after the oversight was communicated personally to a company representative and in a published report, the company still hadn’t removed the file.

This highlights the fallacy in whitelisting products such as websense or bluecoat as an end-all-be-all protection scheme for workstations. You are basically trusting the operators of approved sites to know what they are doing and keep sites free from SQL injectable code that re-directs or directly can download malware to a users workstation.

RiskAnalytics CRT is a multi-layer system that is fighting bots with robotic software. It combines dynamic blacklisting of over 2.5 million hostile IP address with passive network monitoring and a real-time escalation engine. All in combination, malware redirects are identified, shunned and alerted before they have a chance to compromise all important electronic information.

Tags: malware trojan
Posted in Botnets, Cyber Risk Management | No Comments »

Banner Ad Re-Direct Attacks

Wednesday, March 3rd, 2010

Independent security researchers have found an on-going ad site bot net re-direct attack has turned for the worse over the past two months.

This has been going on for at least two months. It’s only recently that the effectiveness has jumped because they’re getting the injected ads displayed on popular websites.

Here’s a quick rundown on how it works.

You visit msnbc or foxsports or mtv.net or yahoo email and an ad banner silently redirects your browser to a google.analytics.com.randomcharacters.info site. The google….info site attacks you with exploits for windows, java, flash, pdfs, etc., etc. (basically the kitchen sink)

If you’re vulnerable, you succumb to the attack and get one or more of the following installed: Torpig, Tidserv, Gozi, FakeAV, Hiloti or Bredolab.

This really highlights the need to have some form of dynamic blacklisting of known hostile addresses. Malware Domains hosts Blackhole DNS. This is blacklisting by domain name. The other important fact is to patch and do not do business banking with a windows machine, use a live linux disk.

Posted in Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Spyware | No Comments »

Ongoing Botnet Penetration: 2500 companies and counting

Friday, February 19th, 2010

Large scale botnet penetrations continue to make the news. This really highlights the fact that what the mainstream security industry is offering is not working. Botnet infestations can easily be defeated by passive monitoring and a dynamic blacklist, components included in Cyber RiskTools.

Criminal hackers have penetrated the networks of almost 2,500 companies and government agencies in a coordinated campaign that began 18 months ago and continues to steal email passwords, login credentials, and other sensitive data to this day, a computer security company said.

The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies, according to research from NetWitness, a Herndon, Virginia-based network forensics firm. Many of the victims are Fortune 500 firms in the financial, energy, and high technology industries.

Company researchers have already reported the attacks to federal authorities and are in the process of notifying individual victims.

Tags: Botnets, cyber attack
Posted in Botnets, Cyber Risk Management, Personal Identifiable Information (PII), Phishing, Physical Safeguards, Technical Safeguards | No Comments »

Adobe Exploits

Friday, February 19th, 2010

In response to two critical vulnerabilities in Acrobat and Adobe Reader 9.3, this week Adobe released the 9.3.1 update for both applications; users of the older 8.x versions can update to 8.2.1 to resolve the security issues. One of the two vulnerabilities addressed would allow a malicious PDF to make unauthorized cross-domain requests; the other could crash the PDF application and possibly allow an attacker to gain access to other parts of the system.

The first flaw is related to a Flash Player issue that was revealed last week; if you have not updated Flash to the latest version (10.0.45.2 as of this moment, see your version & current versions here) & you aren’t blocking Flash, you should go get the latest build right away. Although you can configure auto-update notifications in Flash Player, it’s not clear if Mac OS X clients are consistently getting these reminders to update.

Adobe has seen a surge in application exploits against their software applications.

Tags: Application Exploit
Posted in Botnets, Cyber Risk Management, Technical Safeguards | No Comments »

Blog