Archive for category Cybercrime
Zeus Grabbing Kaspersky’s Digital Signatures
Posted by Mourad Ben Lakhoua in Anti-Viruses, Cybercrime, News on August 6, 2010
Trend Micro threat researchers has reported detecting several malicious web files that are using a strange digital signature which looks like be signed by antivirus company Kaspersky.
After analyzing the files and there signatures there has been a clear difference between the legitimate signature and fake one, the fake copy includes wrong hash values, and the signature has been expired.
This is not all what has been observed but after examining these web files it has been identified as a malicious ZeuS (ZBOT) variants detected as TSPY_ZBOT.BWP, TROJ_ZBOT.BYM, and TROJ_ZBOT.KJT.
This is not the first case that criminals use the Certificates to sign their web malwares. There has been another case about STUXNET malware that was also signed with a certificate from Realtek Semiconductors Corp. which has been later changed to JMicron Technology.
Now Trend Micro has notified Kaspersky Lab about this incident, while you can read more about Zeus here.
make sure you subscribe to my RSS feed!
Asprox is back!
Posted by Mourad Ben Lakhoua in Cybercrime, Cybercrime & Hacking, Vulnerabilities & attacks on June 27, 2010
Security researchers warn of a fast increase in the infected website with spam-botnet Asprox. Asprox botnet is carrying out attack using SQL-injection, which allowed this botnet to double its presence on the service provider’s access application. For one night the number of compromised resources increased from 5 to 11 thousand.
The botnet usually starts by scanning the network searching for a vulnerable host and if it detects a vulnerable website it conducts an attack on the targeted hosts.
M86 Security Company are currently monitoring and tracking the new threat. On a blog post Rodel Mendrez reported that the pattern of Asprox behavior have changed, while previously it used only to send spams, now it is implementing a massive SQL-injection.
As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU
These three servers are the bot command and control servers, by analyzing the malware binary there are SQL statement as the picture shows:
By decrypting the XML file which the bot receives. Screen shot shows information about the targeted website:
And finally a simple search on Google shows that more than 5000 websites already infected.
As you can see that criminals are always searching for new ways to spread their malwares.
make sure you subscribe to my RSS feed!
Fake YouTube Pages Spreading Malware
Posted by Mourad Ben Lakhoua in Cybercrime, Internet, News, Vulnerabilities & attacks on June 10, 2010
Researchers at eSoft Threat Prevention Team have discovered thousands of fake websites that looks like YouTube. The website contains video which leads to installing a downloader Trojan with a less than 20% detection rate according to Virus Total.
The site is looking very closely to Youtube with a high quality to make it looks legitimate and trick victims. Cybercriminals exploit the trust of users in youtube video hosting to have as much as possible of machine.
The pages contain some “Hot Video”, like Want to see a revealing video about the Gulf oil spill in Mexico or the NBA Finals?
This will attract victims so they agree to install the malicious application with a big possibility that the Antivirus even do not suspect in this file.
According to the eSoft Threat Prevention Team, there are now over 135,000 such sites sprouting up all over the Web this can be found by Google search engine. So do not trust websites and try as much as possible to update your antivirus definition with use web filters to detect and prevent these threats.
make sure you subscribe to my RSS feed!
Symantec: 100% Increase in New Malicious Software
Posted by Mourad Ben Lakhoua in Cybercrime, News, cybersecurity on April 20, 2010
According to the latest Internet Security Threat Report which has been issued by Symantec, more than 240 million new malicious programs have been observed last year. The study illustrates clearly that cyber criminals increasingly focusing to get help of the online resources to perform their attacks.
The study indicates that most malicious activities are observed in the developing countries which shows that these countries still not well prepared for such crimes and do not invest in the protection against this major threat. And this also has made these countries a source of cyber crime activities since the laws do not prevent these crimes.
Attacking network resources is the most common in the report while browser vulnerabilities exploitation is increasing. Symantec also mentioned an increase in the hacking tools that allows attackers to steal data such as Zeus for seven hundred dollars.
Installing security patches has become more complex because users not only invited to patch vulnerabilities in the operating systems but also in third-party applications and plugins.
You can find the report here.
make sure you subscribe to my RSS feed!
Cybercriminals had a phishing Attack on .gov and .mil
Posted by Mourad Ben Lakhoua in Cybercrime, News on February 8, 2010
Criminals are conducting spam attacks on email addresses related to .gov and .mil domain name. According to Brian Krebs Blog post the fake messages includes a link leads to a Trojan Zeus which helps to steal Banking system passwords.
The reason of success of such attacks that the phishing message looks quit legitimate, Recipients are invited to download a report 2020 Project which exist and recently published by the National Intelligence Council of the United States.
At the same time after investigating the email headers the real sender is nobody@sh16.ruskyhost.ru which is a Russian email address.
16 out of 39 Antiviruses detected the malicious software as a dangerous Trojan. Because Cybercriminals are upgrading their Bot Network to cheat on different AV products (F-Secure detected the Trojan as Suspicious:W32/Riskware!Online).
make sure you subscribe to my RSS feed!
DDoS Attack Target Swedish Police Network
Posted by Mourad Ben Lakhoua in Cybercrime, Web Security on November 2, 2009
According to thelocal news Swedish police website was subject for a DDoS attack last week. The result of this attack was a complete disrupt of the official website.
On the High traffic the server can treat about 800 requests per second but during the attack they detected about 400 thousand requests per second which is 5 times more than the normal high traffic.
The number of DDoS-attack has significantly increased to become one of the biggest threats on Internet, by looking at the history the beginning of DDoS attacks were mainly directed to disrupting IRC servers, but on 1997 there were a vulnerability on Microsoft windows TCP/IP that allowed hackers to send a lot of packets using several tools and dosing remote systems, another popular incident were on 2000 by turning down web service for many popular websites like YAHOO ,CNN, eBay and others, October 2002 Root DNS servers experienced a DDoS attack to make 7 of the 13 main servers out of service. And now we are seeing a lot of distributed denial of service (DDoS) attacks against social networking website like Twitter and Facebook…
Stopping DDoS attack depends on the whole internet community by protecting your machine from malware that could be used to run these attacks, the most popular Botnet’s are:
Conficker 10 million + Machine.
Kraken – 495 Thousand Machine.
Srizbi – 315 Thousands Machine.
Bobax – 185 Thousands Machine.
Rustock – 150 Thousands Machine.
Storm – 85 Tousands Machine.
make sure you subscribe to my RSS feed!
Apache Website Owned!
Posted by Mourad Ben Lakhoua in Cybercrime, News, Web Security on August 31, 2009
Apache Software Foundation website was down last Friday after hackers compromised SSH key to one of their main servers.
Secure Shell is a very popular technology that can provides a secure servers remote administration, well if the hackers manage to upload a rootkit or Trojan over the download package of apache website, this can cause a great damage to a huge number of website especially that according to the latest stats from Netcraft more than half of all web servers widely are running Apache.
On Friday Apache Software foundation has made an official note as follows:
On August 27th, starting at about 18:00 UTC an account used for automated backups for the ApacheCon website hosted on a 3rd party hosting provider was used to upload files to minotaur.apache.org. The account was accessed using SSH key authentication from this host.
To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines.
While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided.
Here you can find the screenshot posted by Trendmicro Blog,the identity and reason of this attack still not discovered yet but sharing the information of this incident is very good point and can help to build a solid trust in The Apache Software Foundation.
make sure you subscribe to my RSS feed!
Saudi set to form new unit to fight cybercrime
Posted by Mourad Ben Lakhoua in Cybercrime on May 12, 2009
Saudi Arabia is launching a new crackdown on cybercrimes, including fraud, in the kingdom, it emerged on Sunday.
A specialised department to look into online criminal activity will be formed in all the criminal investigation and criminal evidence departments in the country, it has been announced.
Lt Gen Saeed Al-Qahtani, the director general of Public Security, revealed the plan while attending an investigation department workshop on financial crimes in Riyadh, Saudi Gazette reported.
He said that because web-related crime was posing a threat to public security, authorities needed to act to fight back.
Specialists will be used to fight the criminals online, he said, and the latest equipments would be used to find evidence and prosecute offenders.
[Source: arabianbusiness]
make sure you subscribe to my RSS feed!
Malware attacks 'on the rise'
Posted by Mourad Ben Lakhoua in Cybercrime on May 11, 2009
Cases of malware attacks around the world are continuing to rise, new research has suggested.
The study by security firm Fortinet found that certain countries are being targeted, with attacks on China coming in at the top of the list.
A 45 per cent increase in malware attacks was recorded in the Asian country in April when compared with the same period in 2008, the research found.
‘April was a busy month for cyber criminals, who unleashed the most aggressive malware attacks thus far this year,” Derek Manky, project manager for cyber security and threat research at Fortinet, told Vnunet.com.
‘We believe that this upward trend will endure, and that online gaming attacks will continue to dominate the estimated $2 billion [£1.3 billion] annual market.’
Mary Landesman, senior security researcher at ScanSafe, added to the news provider: ‘With malware increasing in volume and sophistication, and no foreseeable slowdown in sight, it is more important than ever that companies have a comprehensive web security solution in place.’
[Source: BCS]
make sure you subscribe to my RSS feed!
Guest blog: Canadian anti-spam laws take an important step forward
Posted by Mourad Ben Lakhoua in Cybercrime on April 28, 2009
The Conservative government in Canada last week introduced the Electronic Commerce Protection Act to help cull sources of spam and other malicious activity from within Canadian borders.
Although it was introduced as “the Government of Canada protecting Canadians” those of us in the industry recognize that this is a global problem, and the amount of spam and other malicious stuff ending up on Canadian’s computers will not likely be significantly impacted as a result.
Our latest threat report had Canadian sources of spam being only 1.1% of the global total, and of course most of that will be from compromised machines forming parts of a botnet.
However, I do think this is a positive step for Canada as a “good neighbour” in the global community. We have seen a lot of previously US-based spam operations move to Canada due to a lack of this type of legislation – hopefully those same people will find it more inconvenient to move further overseas and cease operations.
Another nice thing about this legislation are specific prohibitions on installation of non-desired software such as spyware, keyloggers, adware, etc, during commercial operations.
So, while this is an important step forward, ultimately the spam and malware problem requires a global response.
[Source: Sophos]
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Cybercrime category.
SUBSCRIBE
Latest Comments