“Hacked all Windows version 9x to 7 32 bit and 64 bit
Hacked all browsers running a vulnerable plug-in”

Using the built in TDS (Traffic Direction System) criminals can specify which malware they want to push out by country, by browser and by OS. It is clearly designed to support the inter-related vendor infrastructure of the criminal economy. YES Exploit System is a fully fledged platform for delivering malware on behalf of other criminal enterprises, perhaps to seed a new ZeuS campaign or maybe to push out some scareware. As previous blog posts have shown YES is often bundled into full service underground ZeuS offerings. As you can see from the screen shot below, projects can be divided on a per-customer basis.
 

click to enlarge

click to enlarge

“This service is about to help you in anonymous check of different anti-virus system. This check will be made by numbers of anti-virus system and no reports will be send to developers of this anti-virus system. You can be fully sure that your files will not be send to anti-virus databases. All reporting system in our version of anti-virus engines was disabled MicrosoftSpyNet, ESET ThreatSense.Net Early Warning System etc.

Updates of all anti-viruses made each hour, most of main anti-virus system made updates in real-time.

We give you maximum speed of scanning, 10 files will be scanned by all anti-virus system starting from 30 second.

We support periodic checks. You need to select amount of time that check will be happened, and select method system will contact you after found something suspicious.”

  
Unfortunately it’s true that as soon as you build a better mousetrap, some rat comes along and eats all the cheese.

Facebook Page Suggestion

  
 
Gold Membership Trolling has been doing the rounds for a few years now, it started in 2007 as a prank aimed at users of the 4chan image board. Bogus images were posted that supposedly only “Gold Members”  could view. This was a troll to fool people into believing that paying for an upgraded account was necessary.
 

4chan Gold Account from whatport80.com

Bogus Facebook Gold Account page

   
I have been biting my tongue (or my fingers) trying not to mention the terrible spelling error in the page title, but there it is, that’s a clue. Also if you were to examine the list of “comments” on the right you would notice that they are not comments at all, rather an image file which itself also links to the scam web page.
   
So what’s the point for the scammer? Well if you follow all the instructions, first you invite all your friends to come and check out this (cough) great deal. Then, if you are credulous enough to click the button, you are informed that in order to access the Account Upgrade page you must complete “1 quick, free survey”, different versions of the scam page offer different surveys, but this is where the money is made.
   
The survey I tested linked (via a couple of affiliate marketing services) to a “Werewolf vs Vampire” quiz which promised to tell me which I am (surely I should know that already?) at the end of the ten questions I am invited to enter my mobile phone number to receive my results. If I do that I am agreeing to pay a £9.00 joining fee followed by £9.00 every week until I cancel my membership via SMS.
   
Of course the terms and condtions are displayed on the page, but to say that I arrived at the quiz under false pretenses would be understatement to say the least. The scammer will almost certainly be receiving a commission for every activation they drive to the quiz site. There are currently over 50 different versions of this particular page on Facebook, with a total of over 1,000,000 fans! I have informed Facebook and I’m sure they are removing the content as we speak.
   
Top tips to avoid this kind of scam; before you forward anything to any of your friends or contacts, research it. You may be in time to save yourself but your Aunt Petunia may not be so clued-up.
   
Never give up your mobile phone number to receive the results of an online quiz or survey, if they can’t show you in a web page, it’s not worth seeing.
   
Don’t believe any tales about Facebook functionality being added/taken away/made chargeable unless you hear it from Facebook themselves. Criminals are obviously aware of the huge popularity of Facebook and are using it to their advantage.

“Seemingly there is no reason for these extraordinary intergalactical upsets. Only Dr Hans Zarkov formerly at NASA has provided any explanation”*

Stories in the press recently have been aghast at the scale of a “new” botnet called Kneber. According to a report from NetWitness one particular botnet that uses the ZeuS crimeware has successfully infiltrated thousands of corporations and tens of thousands of computers. This is of course terrible news for the companies affected and certainly many corporate security lessons can be learned from experiences such as this.

What is important to point out though is that there is nothing at all that is “new” or “unprecedented” about a botnet using ZeuS or a botnet of this size, ZeuS (or ZBot) has been around since at least 2007. In the online underground ZeuS is the equivalent of commodity crimeware. It is openly traded in online forums both as a software product and as preinfected botnets. Increasingly providers are finding that they must bundle services with their criminal offering, or Crimeware as a Service.

Screen shot from underground forum

Older versions of the software are downloadable free of charge, though these are often backdoored by other criminals. There is no honour among thieves. In fact botnets are in such plentiful supply that the price of preinfected machines is surprisingly low.
 

175 thousand bots for sale... globally.

Of course if you don’t have the means or the desire to run your own botnet, you can always simply buy the output…

I'm a lumberjack and I'm OK. Logs for sale.

A quick look at ZeuS Tracker shows they are tracking almost 1300 command & control servers for various ZeuS botnets of which about half are online right now. They show the average binary detection rate (how your antivirus products detects using pattern files or signatures) is as low as 49.62% which goes some way towards explaining the successful infection rate.
 
It is widely known that malware writers and other criminals have already worked out how to overcome traditional anti-malware protection that relies on pattern or signature updates. They simply roll their code as often as possible, estimates say that we are currently seeing a unique malicious binary every 1.5 seconds.
 
So here’s corporate security lesson number one from this recent publicity…
 
Make sure your anti-malware solution is not relying simply on the infection layer “what the file looks like“; make sure that it is also investigating the exposure layer, “where the file comes from and who the file reports back to“. If ZeuS Tracker knows where the bad guy servers are, so should every one of your endpoints. At that point, what the actual binary looks like becomes a secondary issue.

 
By the way here is a free tool to check if you are a part of a bot network.
 
* With apologies to Roger Miller and Queen

MP David Wright tweets

“#ivenevervotedtory because you can put lipstick on a scum-sucking pig, but it’s still a scum-sucking pig.”

The tweet was joining in with the Twitter meme responding to the latest Tory poster campaign which features the tag line “I have never voted Tory before but…”. However the turn of phrase has hit a raw nerve among many Twitter users, prompting the MP to delete the offensive tweet and apologise.
  

TrippyPip talks to David Wright MP

MP David Wright tweets

Twitter Grader home page

  
UPDATE: You will see in the comments on this post an update from HubSpot with a link to their blog explaining the incident, I know a lot of folks don’t read the comments, so here it is in full.

“We are very sorry for the mistake. It is completely our fault. As your article mentions, we have contained the situation and stopped the malicious tweets.

We do want to make clear that by design, the HubSpot software applications are on different servers and systems from our free Grader.com tools. This attack did NOT affect the HubSpot software used by our 2,100 customers. Again, there is no impact on our paid product or paying customers.

We have posted an article on our company blog with more information:

http://www.hubspot.com/blog/bid/5594/One-Lesson-From-The-Twitter-Grader-Screw-up-OAuth-Rocks

- Mike Volpe
HubSpot (makers of Twitter Grader)”

…and that, ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot.

 
__________________________________________________________________________________________

In what looks like another compromise related to Twitter services, a large number of Twitter users who have granted access to their accounts to the web service Twitter.Grader.com have all begun tweeting a bizarre and unauthorised message.
 

One of the reasons for this apparent contradiction must surely lie with the language itself, and not the technology. We already know that the term “cloud” when applied to technology has a different meaning to everyone who uses it and everyone who hears it. Hell, the term “cloud” when applied to clouds has a multitude of possibilities! The truth is though the same is true of the term “security”.
  

If you talk to a sysadmin, a network admin, a coder, a hacker, a security guard, a facilities manager or a three star general about security then once again they will each have their own understanding of the definition, the aims and the means of achieving that elusive “security”. If you ask a C-level executive what security means, especially in the context of cloud, then they will have a different understanding again.
 
To an executive, security is all about control and accountability. Data and the management of data are the asset and the task that are currently mostly considered for delegation to cloud providers. Today’s legislation places a burden and corresponding sanctions on corporate executives to ensure that the data which they hold is stored and processed in a secure manner. Future legislation promises to extend this burden of accountability and the penalties for non-compliance can be severe, stretching, if you’ll pardon the pun, to even to jail-time.
  

When your most precious assets are tucked up tight in your own data centre, handled by your own employees on physical systems that you can secure discretely then creating an audit trail and accountability is far simpler. The control remains with the data owner. In the cloud environment as it currently stands, much of this control is outsourced, but none of the accountability.
  

Virtualisation, multi-tenancy and storage area-networks are the technological engines powering cloud services. The rapid provisioning of virtual machines across highly-scalable, highly available infrastructure gives cloud providers the economic advantage that is their business promise. Cloud customers need to be secure in the knowledge that they retain control over the secure perimeter of their virtual machine and that it is not dependent on any configuration at the provider end. Cloud customers need to know that their data is sufficiently encrypted in the SAN that it cannot be accessed or used by anyone other than those who hold the keys and that the keys are not held by the cloud provider.
  

In order to increase the acceptability of cloud to the enterprise executive, we need to design tools that ensure control over the security of key underlying technologies. It is only when a CIO has control that they can reasonably be expected to accept accountability.

Mail from Willie Hickey

“Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:”.

 
This little piece of social engineering is obviously designed to arouse fear and doubt in the recipient; “Oh no, not those photos, the zookeeper promised he would destroy the negatives.”