“Warning!!! Your computer contains various signs of viruses and malware programs. Your system requires immediate anti virus check. Click to perform a quick and free scan of your PC”

You have? Well you’re not alone.
 
I want to share with you some research carried out by one of my colleagues in TrendLabs, Bob McArdle. I can’t mention any names for fear of prejudicing ongoing investigations, but to be honest the names are irrelevant as they change so often anyway. Over the course of a year one criminal gang, let’s just call them Company X, made over $180 million US dollars by selling malware to their victims in at least 30 different countries around the globe.
 
You would be forgiven for asking why people would pay for malicious software and the answer is of course, they had no idea it was malicious in the first place.
 
The gang creates very convincing looking fake security programs designed to fool the victim into believing that their computer is badly infected. These scareware programs are then distributed by creating web pages designed to rank very highly in search engine results for popular current search terms or newsworthy events. As soon as the malicious search result is clicked a pop-up message like the above appears and the infection chain begins.
 
Here is a video of one such scam in action related to this incident I blogged about a while ago.
 

 
So how did they make so much money? Well firstly while the scan on offer might be free, the bogus results always show the machine to be very badly infected when in fact no scan at all has taken place. The worried user is then prompted to pay for the full version of the “security” software so that the non-existent malware can be cleaned up. So now, you have given your credit card details to criminals, downloaded malware onto your PC and paid somewhere between $50 – $100 US dollars for the privilege. This game is a volume one – if the gang can redirect 100,000 searches and only 1% of them pay for the product – they net $50,000 US for a day’s work.
 
The second part of the business model involves these machines that the criminals have now infected. As the infected user surfs the web, the malicious software quietly replaces all of the ads the user sees with ads belonging to one of the gang’s affiliates, most often pushing fake pharmaceuticals and the like. The gang get a kickback of two or three cents every single time an advertisement is replaced. Logs from one of the gang’s servers showed about a million ads replaced per day, netting them another $25,000 US per day, and this was only one of the gang’s botnets. So that’s $25K per botnet, per day.
 
The third part of Company X’s business model revolved around customer support strangely enough. Company X’s biggest problem of course, was credit card refunds. Customers who realised that they had been scammed would contact their card provider demanding a refund. After a while the credit card provider would refuse to do business with Company X and Company X would need to create another fake subsidiary company, complete with Fake IDs for all of their directors. To combat this, these criminals decided to invest heavily in call centres – setting up call centres in the US, Asia and Eastern Europe.
 
You see the Rogue AV would regularly ask the users to update their version, paying a small fee to do so – and would annoy the user with pop-ups until they did so. A lot of customers complied, however others rang the support line demanding the product be fixed. Each Rogue AV had a couple of settings that could be altered so that the users would never be prompted for updates again – the staff at the call centres simply stepped the users through to this point, all for the modest fee of $20 for the phone call.
 
Think before you click, not all security software is created equal.

A colleague of mine, Noriaki Hayashi, brought my attention to an interesting Trojan that has begun circulating in Japan. The malware is aimed at extorting money from its embarrassed victims and here’s how it works.
 
The victims are initially hooked when they download what they believe to be illegal copies of games from file sharing networks, in most cases the malware is masquerading  as illegal copies of ”over 18″ hentai-themed games such as the below
 

Example of legitimate Japanese game from Abel Software

Once the installer is launched it brings up a form requiring the user to enter personal information including their full name, date of birth, game password, email address, postal address, gender, annual income, company name and telephone number along with a few other things for good measure.
 
While all this is going on, the malware is also automatically collecting details about the victim’s computer including user account, domain and computer name, OS version information, clipboard content, file use history and Internet Explorer favourites. It also grabs a few screen shots just in case they don’t already have enough dirt.
 

Trojanised installer collecting information

 
Could it be that once a victim has shown themselves to be extortion-friendly they will get hit with yet another “copyright infringement” notice from Romancing Inc? Japanese copyright law was strengthened this year largely in an attempt to address the problem of illegal downloading
 
This is certainly another illustration of why, in the long run, you may well be better off paying up front for your downloads and steering clear of file-sharing networks.

“Hacked all Windows version 9x to 7 32 bit and 64 bit
Hacked all browsers running a vulnerable plug-in”

Using the built in TDS (Traffic Direction System) criminals can specify which malware they want to push out by country, by browser and by OS. It is clearly designed to support the inter-related vendor infrastructure of the criminal economy. YES Exploit System is a fully fledged platform for delivering malware on behalf of other criminal enterprises, perhaps to seed a new ZeuS campaign or maybe to push out some scareware. As previous blog posts have shown YES is often bundled into full service underground ZeuS offerings. As you can see from the screen shot below, projects can be divided on a per-customer basis.
 

click to enlarge

click to enlarge

“This service is about to help you in anonymous check of different anti-virus system. This check will be made by numbers of anti-virus system and no reports will be send to developers of this anti-virus system. You can be fully sure that your files will not be send to anti-virus databases. All reporting system in our version of anti-virus engines was disabled MicrosoftSpyNet, ESET ThreatSense.Net Early Warning System etc.

Updates of all anti-viruses made each hour, most of main anti-virus system made updates in real-time.

We give you maximum speed of scanning, 10 files will be scanned by all anti-virus system starting from 30 second.

We support periodic checks. You need to select amount of time that check will be happened, and select method system will contact you after found something suspicious.”

  
Unfortunately it’s true that as soon as you build a better mousetrap, some rat comes along and eats all the cheese.

“Seemingly there is no reason for these extraordinary intergalactical upsets. Only Dr Hans Zarkov formerly at NASA has provided any explanation”*

Stories in the press recently have been aghast at the scale of a “new” botnet called Kneber. According to a report from NetWitness one particular botnet that uses the ZeuS crimeware has successfully infiltrated thousands of corporations and tens of thousands of computers. This is of course terrible news for the companies affected and certainly many corporate security lessons can be learned from experiences such as this.

What is important to point out though is that there is nothing at all that is “new” or “unprecedented” about a botnet using ZeuS or a botnet of this size, ZeuS (or ZBot) has been around since at least 2007. In the online underground ZeuS is the equivalent of commodity crimeware. It is openly traded in online forums both as a software product and as preinfected botnets. Increasingly providers are finding that they must bundle services with their criminal offering, or Crimeware as a Service.

Screen shot from underground forum

Older versions of the software are downloadable free of charge, though these are often backdoored by other criminals. There is no honour among thieves. In fact botnets are in such plentiful supply that the price of preinfected machines is surprisingly low.
 

175 thousand bots for sale... globally.

Of course if you don’t have the means or the desire to run your own botnet, you can always simply buy the output…

I'm a lumberjack and I'm OK. Logs for sale.

A quick look at ZeuS Tracker shows they are tracking almost 1300 command & control servers for various ZeuS botnets of which about half are online right now. They show the average binary detection rate (how your antivirus products detects using pattern files or signatures) is as low as 49.62% which goes some way towards explaining the successful infection rate.
 
It is widely known that malware writers and other criminals have already worked out how to overcome traditional anti-malware protection that relies on pattern or signature updates. They simply roll their code as often as possible, estimates say that we are currently seeing a unique malicious binary every 1.5 seconds.
 
So here’s corporate security lesson number one from this recent publicity…
 
Make sure your anti-malware solution is not relying simply on the infection layer “what the file looks like“; make sure that it is also investigating the exposure layer, “where the file comes from and who the file reports back to“. If ZeuS Tracker knows where the bad guy servers are, so should every one of your endpoints. At that point, what the actual binary looks like becomes a secondary issue.

 
By the way here is a free tool to check if you are a part of a bot network.
 
* With apologies to Roger Miller and Queen

Mail from Willie Hickey

“Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:”.

 
This little piece of social engineering is obviously designed to arouse fear and doubt in the recipient; “Oh no, not those photos, the zookeeper promised he would destroy the negatives.”
 

 

The sites were registered with .co.uk domain names so as to appear more credible and attractive to UK based buyers, even though in many cases both the sites and the domain registrations themselves were outside the UK. Obviously people tempted into buying from these shops risked not only receiving sub-standard goods with no chance of recompense, but also having their financial details or identities stolen, abused and/or traded on the underground economy. So before I go on, let me make it clear that despite my reservations about its effectiveness, I applaud and support this initiative by UK law enforcement (I’m sure they’ll be relieved to hear that).

 

But (and you knew there was going to be a “but”) this represents at best a stopgap measure and at worst a simple waste of time. The root cause remains unaddressed and I fully expect these same sites to reappear under different names in the very near future. The sites themselves have not been “taken down” at all as far as I can tell. What has happened is that Nominet, the body responsible for the .uk top-level domain has simply broken the link between the domain name and the server the site is based on. What does that mean? It means when you type www.globalugg.co.uk into your browser it doesn’t go anywhere anymore.

 

If it was your criminal operation, what would you do? You’d register another domain name of course!

 

Here are the current details for a dodgy looking site, notice the Registration status is SUSPENDED, perhaps this was one of those 1200 sites.

WHOIS query for globalugg.co.uk

 

 

There are a few other interesting bits to this registration though, look at the Registrant’s address, how can they be a “UK individual”? Notice too that the domain was not even registered in the UK, the Registrar is eNom Inc. a (totally legitimate) US-based registrar. The Name servers responsible for this domain belong to US Web Hosting, another totally above board US provider. So we have a scammer with a Chinese address, registering a .co.uk domain with an American registrar and hosting their server with another US outfit.

 

To bring my whole scam back to life all I have to do is register a new domain and point it to the same server as before, maybe just for variety’s sake this time with a Ukrainian registrar, just like this:

Domain availability through Ukranian Registrar Imena

 

 

And that is the real issue, far too many DNS domains, including .co.uk and those of many other countries, are operated as “open” domains and in the words of Nominet:

“We do not impose restrictions on your status as applicant for the registration of a Domain Name in the following SLDs (“Open SLDs”):

   1. 4.4.1 .co.uk; or

   2. 4.4.2 .org.uk.

In the SLD Charter of the SLD Rules for the Open SLDs we do set out certain intentions regarding the class of applicant or use of registrations of the Domain Name which we assume you will comply with when applying for a registration of a Domain Name within an Open SLD. However, we do not forbid applications, and will take no action in respect of registrations that do not comply with the SLD Charters“

 

Until regulation is tightened and international cooperation is improved then well-intentioned initiatives like Operation Papworth will be um, micturating in the tempest.

 

Credit card details for sale on underground forum

 

 

In a statement released today, the Zentraler Kreditausschuss (Central Credit Committee) explained that German banks were acting in response to a warning issued by Visa and Mastercard over a potential data theft at a Spanish company. The Spanish company in question has not yet been identified as it is the subject of police investigations but it is widely believed to be a payment processing company responsible for dealing with payments made in Spain using credit cards issued in foreign countries.

 

In what is being described as a “primarily preventative measure” many German banks have begun cancelling more than 100,000 credit cards, notifying the card holders and issuing replacements. The mass replacement of cards is not restricted to Germany; banks in Austria Sweden and Finland have also begun to reissue credit cards according to reports.

 

Ralf Palm, a spokesman for Postbank in Germany, noted that their customers and the bank itself had already noted “irregularities” seeming to demonstrate that the stolen or leaked information is already circulating in underground carding circles.

 

What remains unclear is the extent of the data theft. How many people have been affected and exactly what information other than card details has been stolen? In a further indication of the Europe-wide scale of the problem, the BBC reports that “UK customers will be contacted directly if they are thought to be at risk.”

 

Despite the sketchy details so far available the data theft bears uncomfortable similarities to the Heartland Payment Systems breach in the US which was eventually responsible for exposing the details of more than 130 million credit and debit card accounts.

 

If you have used any plastic in Spain in recent months prepare yourself to learn a new PIN number or two. It may be worth revisiting your credit card and bank statements and keeping a close eye on any future statements. Of course you should contact your bank or financial institution immediately if you notice any suspicious activity on your accounts.

 

The focus of the event this year is on the problems posed to individuals through  the mule recruitment campaigns that are unknowingly responsible for funneling £39,000,000 over the past 6 months into the accounts of criminals. A recent post on Countermeasures illustrated the effectiveness of this technique.

 

One of the presentations came from Andy Auld, the Intelligence Manager at the Serious Organised Crime Agency (SOCA) e-crime unit. Andy described law enforcement operations as being “locked in an arms race” with organised online crime and pointed to three specific factors that were driving and facilitating online crime. According to SOCA, these factors are; the increasing technical sophistication of attacks, huge improvements in sustaining the infrastructure, (such as the call centres operated by Fake AV scareware companies to reassure their victims that their malicious junk is genuine or the “bullet proof hosting” services offered to cybercrime) and cleverer social engineering techniques used to punt the attacks.

 

I have previously posted about the kinds of telephone and voice-based services being offered in the underground economy and it’s true that this is a growth market. I have even seen seasoned fraudsters complaining that internet banking fraud is becoming “too much trouble” and that the future potential was in telephone-based fraud. So SOCA are right to be concerned about this increasing sophistication.

 

Bullet proof hosting (where the company who provide hardware and internet connectivity to criminal operations) has been big business for a while now. While some bigger names such as McColo and Intercage get taken offline, there is always a host of smaller players waiting to fill the void as in this underground advertisement.

Advertisement from underground forum

Spam email from Zeus bot

 

 

 

The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have “logged in” though, the supposed “MySpace Update Tool” is waiting to trick the unwary into installing their very own variant of the ZeuS agent. We detect this as TSPY_ZBOT.SMP, the Smart Protection Network also blocks the email spam and web addresses associated with this campaign.

Download page for the ZeuS agent

“Does not create suspicion on the presence if you it do not want. Here is available in view of that like to do many authors spyware: an unloading firewalls, antiviruses, an interdiction for their updating, blocking Ctrl+Alt+Del etc.Separate file of a configuration that allows to protect itself from loss botnet in cases of inaccessibility of the preferred server. Plus additional (reserve) files of a configuration to which the bot will address when the basic file of a configuration will not be accessible. This system guarantees a survival of yours botnet in 90 % cases.

Interception of POST-data + interception of the pressed keys (including inserted data from a clipboard).

Transparent URL-redirect (on fake-sites etc.) with the task of the elementary conditions of a redirect (for example: only at GET or POST inquiry, at presence or absence of certain data in POST-inquiry).

Transparent HTTP (S) contents substitution (the Web-inject which allows to substitute not only HTML pages, but also any other type of data). Substitution is set by means of instructions of masks of substitution.

Adjusted TAN-grabber for any countries.

The IDEAL DECISION FOR VIRTUAL KEYBOARDS: After calling on necessary URL, there is a reception of a screenshot in the field of the screen where the left button of the mouse has been pressed.

Reception of certificates from storehouse “MY” (certificates with a mark “not exported” are not exported correctly) and its clearing. After it any imported certificate will be saved on a server.

Interception of a login/password of reports POP3 and FTP in independence of port and its record to logs only at successful authorisation.

Change local DNS, removal/addition of file recording %system32 %\drivers\etc\hosts, i.e. comparison of the specified domain with specified IP for WinSocket.

Reception of a screenshot from the computer of a victim in real time, the computer should is out of NAT.

Reception of commands from a server part and report sending back about successful performance. (Now start of a local/removed file, immediate updating of a file of a configuration, OS destruction).

Socks4-server.

HTTP (S) a PROXY-server.“

My favourite part of this particular readme though has to be this:

“Record just visited pages at the first start on the computer. It is useful at installation through sploits if you buy loadings from suspicious service, it is possible to learn that is loaded more in parallel.“

 

Basically as a budding cybercriminal it’s tough to find partners you can trust. So if the person you paid to load your bot up on their boobytrapped web page decides they will send their own little package to your victims as well, you’ll know about it.

 

This particular vendor is offering a fully installed, configured and supported ZeuS installation; control panel, agent builder and injection scripts  for just $320 (USD).