Thursday, 26 June 2014

A Dyre New Banking Trojan

Creators of a newly discovered Remote Access Trojan (RAT) strain that's targeting customers of a number of major banks could become another fixture in the crime-as-a-service ecosystem. Initially uncovered by security researchers at PhishMe, the Dyre or Dyreza Trojan at the moment appears to be the first of a new family of Trojan rather than a Zeus retread. It was picked up by researchers as they looked into an ongoing Dropbox phishing campaign.
"When analyzing tools, tactics, and procedures for different malware campaigns, we normally don’t see huge changes on the attackers’ part," wrote Ronnie Tokazowski, senior researcher for PhishMe. "However, in the Dropbox campaign we have been following, not only have the attackers shifted to a new delivery domain, but they have started to use a new malware strain, previously undocumented by the industry."
According to Peter Kruse, partner and security specialist for CSIS Security Group, like many RATs on the black market, Dyreza is designed specifically to attack online banking customers.
"The target list has a specified set of targets which whenever visited will trigger some additional functions in the Trojan and harvest credentials," he told Dark Reading.
CSIS found that targeted institutions included Bank of America, Natwest, Citibank, RBS, and Ulsterbank. And PhishMe reports that the malware effectively bypasses SSL protections within the browser while stealing credentials. Through its research, CSIS also reported today a key piece of evidence that shows the malware is looking to make a splash of its own compared to Zeus. "The group behind Dyreza has implemented their own money mule panel which indicates that they intend to provide this as a crime-as-a-service solution or is a full circle in-house crime gang."
Unlike Zeus, the malware also currently doesn't appear to have advanced capabilities such as data encryption, many-to-one relationships with command and control infrastructure, or randomization of file names, Tokazowski told Dark Reading.
"One of the biggest differences between ZeuS and Dyre is how communication with the command-and-control infrastructure takes place. With ZeuS, data is usually encoded or encrypted, then passed back as raw binary data. With Dyre, the data is POSTed in the clear, making detection for enterprises with IDS capabilities very straightforward," Tokazowski says. "Since data is being posted back unencrypted, I believe this malware is only in its infancy, and we should expect more refinements from the malware author."
According to Tokazowski, given the lack of Zeus-like features and differences in network communication, there's a good chance the malware is based on a new code base. This is the second time in two weeks that researchers have claimed to have found new banking Trojan strains. Last week RSA reported the same about malware it called Pandemiya, though Kruse of CSIS claims that analysis by the security community has shown that it may have reused code from Gozi.
Tokazowski postulated that a new rash of RATs could be coming as a result of the recent GoZeus takedown.
"With the takedown of GoZeus, the crimeware community will need a new RAT with different capabilities, and I expect to see more RATs in the future with one malware variant stepping in to fill the void left by GoZeus," he says.
While Kruse agrees, he warns that practitioners shouldn't count GoZeus out just yet.
"Remember that ZeuSP2P/Gameover has been taken over and have not as such been eliminated. The malware is like a flu," he says. "We have dismantled its capabilities to push new updates and helped remove the threat from already infected machines, but that does not mean that the gang behind GoZeuS won’t start infecting new users through spam campaigns and Pay Per Installs."

Luuuk Trojan snatches €500,000 from European bank in one week

credit cnet

A European bank lost €500,000 in the course of only seven days due to a new financial fraud campaign.

Security experts at Kaspersky Lab’s Global Research and Analysis Team discovered evidence of the cybercrime campaign and found that 190 clients in two countries belonging to a single European bank, as of yet unnamed, suffered the theft which was first detected on 20th January this year.
Most of the victims are located in Italy and Turkey, and according to log files that included events from bots reporting to a command and control (C&C) web panel, sums stolen from each bank account ranged from 1,700 to 39,000 euros. The team says it is likely thefts were managed automatically, and fraudulent transactions were carried out as victims logged into their online bank accounts.
According to the logs used by the attackers, the targeted attack lifted the funds from individual accounts in only seven days through the use of the Luuuk Trojan. A C&C server and accompanying control panel revealed the use of malicious software, although the security experts are unsure whether Luuuk is a completely new type of software, or a heavily modified version of another Trojan.
The reason for the confusion is simple: Two days after Kaspersky discovered the C&C server, "every shred of evidence" that could have been used to trace the campaign was removed by the cybercriminals. However, this is believed to have taken place due to changes in technical infrastructure used within the campaign rather than as a signal criminal activities were over.
Vicente Diaz, Principal Security Researcher at Kaspersky Lab said:
On the C&C server we detected, there was no information as to which specific malware program was used in this campaign. However, many existing Zeus variations, including Citadel, SpyEye, and IceIX, have that necessary capability. We believe the malware used in this campaign could be a Zeus flavour using sophisticated web injects on the victims.
The money was siphoned away through the use of "money mules" or dummy accounts, where different "drop" groups received varying amounts of money. One group transferred 40-50,000 euros; another with 15-20,000; and the third held no more than 2,000 euros. Diaz explained:
These differences in the amount of money entrusted to different drops may be indicative of varying levels of trust for each 'drop' type. We know that members of these schemes often cheat their partners in crime and abscond with the money they were supposed to cash.
The Luuuk's bosses may be trying to hedge against these losses by setting up different groups with different levels of trust; the more money a 'drop' is asked to handle, the more he is trusted.

Google pries open YOUR mailbox, invites in developer partners

Google's announced a grand plan for email that involves letting World+Dog write apps to access your inbox, just so long as you've given them permission to do so.
Hailed by some as “replacing IMAP” (good luck with that, Google, if it's your aim), the new Gmail API is more prosaically outlined by the Chocolate Factory's Eric DeFriez in this blog post.
“Designed to let you easily deliver Gmail-enabled features, this new API is a standard Google API, which gives RESTful access to a user’s mailbox under OAuth 2.0 authorization. It supports CRUD operations on true Gmail datatypes such as messages, threads, labels and drafts.”
Why would the world need this? DeFriez again: IMAP “wasn’t really designed to do all of the cool things that you [that is, developers at Google IO] have been working on”.
The Wall Street Journal says, for example, that “A travel app, for example, could scan your email inbox for booking confirmations and automatically compile them into an itinerary. An expense app can dig through your inbox for receipts and automatically file them to your cloud-based account.”
The developer (with permission and authentication, of course), merely needs to send HTTPS calls to the user's mailbox to receive JSON, XML of Google Protobuf responses, “without using a TCP socket, which means the API is accessible from many cloud environments that couldn't support IMAP”.
The API doesn't touch everything the Chocolate Factory can see, but a quick scan shows that it's still pretty comprehensive. Once an app is authenticated to your mailbox it can create and delete messages, or (Vulture South can't imagine this being ever misused) insert a message directly in a target mailbox without actually sending the message from a source.
There's a send method that'll take a message in your inbox and forward it on, there's a method to list all of the labels in a user's inbox, and more. Resource types covered by the API include drafts, history, labels, messages, attachments, and threads.
Google says the API provides fine-grained permissions, so “if your app only needs to send mail on behalf of a user and does not need to read mail, you can limit your permission request to send-only”.
However, as the documentation shows, Google's idea of “fine grained” means there's four permission classes. An app can either:
  • Request full access to the target account;
  • Request access for everything except the ability to delete messages or threads;
  • Read access, but no write or delete rights; or
  • Access only to create and send messages and their associated drafts.
Even if this fits the definition of “fine grained permission”, Google seems at best optimistic if it thinks this advice will be heeded: “Generally, your app should use the most restrictive scope that meets its requirements.”
In a world a nearly-zero-function app like Yo requests all the permissions the NSA doesn't ask for, that seems unlikely.
El Reg also notes that Android developers have already shown themselves less-than-brilliant at handling OAuth credentials, the basis by which the Gmail API will let developers at inboxes.

Attackers fling Stuxnet-style RATs at critical control software in EUROPE

Security researchers have uncovered a series of Trojan-based attacks which have infiltrated several targets by infecting industrial control system software from the makers of SCADA and ICS systems.
The majority of the victims are located in Europe, though at the time of writing at least one US firm's compromised gear appears to be phoning home to botnet control servers set up by the attackers.
Two of the European victims are major educational institutions in France known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction firm.
The motive for the attacks - much less the identity of its perpetrators - remains unclear.
The attacks, which began earlier this year, were pulled off used the Havex general purpose Remote Access Trojan (RAT) and a server running PHP.
"The attackers have [made] Trojanised software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed", Finnish security software firm F-Secure reports.
"We gathered and analysed 88 variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of 146 command and control (C&C) servers contacted by the variants, which in turn involved tracing around 1,500 IP addresses in an attempt to identify victims."
Elements of the malicious code are designed to "harvest data" from infected machines used in ICS/SCADA systems. F-Secure reasons that this means the unknown attackers are taking steps to give them control of the ICS/SCADA systems in various organisations, rather than just using vulnerable control system set-ups as a means to infiltrate corporate networks. If successful the attack establishes a backdoor on compromised networks that can easily be used to push secondary samples of malicious code.
The miscreants behind the attack are using third-party compromised websites, mainly blogs, as command and control servers.
The Havex RAT at the centre of the assault is distributed through either spam emails, exploit kits or (much more unusually) trojan-laden installers planted on compromised vendor sites.
"It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers," F-Secure's researchers Daavid Hentunen and Antti Tikkanen explain in a blog post.
F-Secure has uncovered three software vendor sites that were hacked to act as a conduit for malware distribution. All three unnamed companies in Germany, Switzerland and Belgium are involved in development of applications and appliances for use in industrial applications. Two of firms supply remote management software for industrial control systems while the third develops high-precision industrial cameras and related software. Other firms might easily have been hit by they same attack.
"The attackers behind Havex are conducting industrial espionage using a clever method. Trojanising ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure," F-Secure says.
"The method of using compromised servers as C&C's is typical for this group,” F-Secure continues. “The group doesn't always manage the C&C's in a professional manner, revealing lack of experience in operations. We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors.”
“The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments," it added.

SCOTUS cellphone ruling resonates in NSA fight

The Supreme Court is pictured. | AP Photo
The NSA’s metadata program sweeps up call details for possible links to terrorist plots.
The Supreme Court’s blunt and unequivocal decision Wednesday giving Americans strong protection against arrest-related searches of their cell phones could also give a boost to lawsuits challenging the National Security Agency’s vast collection of phone call data.
Chief Justice John Roberts’s 28-page paean to digital privacy was like music to the ears of critics of the NSA’s metadata program, which sweeps up details on billions of calls and searches them for possible links to terrorist plots.
“This is a remarkably strong affirmation of privacy rights in a digital age,” said Marc Rotenberg of the Electronic Privacy Information Center. “The court found that digital data is different and that has constitutional significance, particularly in the realm of [the] Fourth Amendment…I think it also signals the end of the NSA program.”
Roberts’s opinion is replete with rhetoric warning about the privacy implications of access to data in individuals’ smart phones, including call logs, Web search records and location information. Many of the arguments parallel, or are virtually identical to, the ones privacy advocates have made about the dangers inherent in the NSA’s call metadata program.
“Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse,” the chief justice wrote in an opinion that concluded police nearly always need a warrant to look through a phone or similar device. “An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual’s private interests or concerns — perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD.”
For the NSA debate, the most significant idea in the court’s Wednesday opinion may be the notion that scale matters. Roberts and his colleagues soundly rejected arguments from the Obama administration that because police can search a few printed photographs found in someone’s wallet, officers were free to search thousands of images and the troves of other personal data contained on a typical smartphone.
Government lawyers engaged in the NSA fight have pointed to a 1979 Supreme Court ruling that approved the use of a trap-and-trace device put on a single phone line to investigate harassing phone calls. That decision, those attorneys say, means there is no constitutional problem with authorities assembling data on many — or even all — calls made in the United States.
Critics have said the two situations bear little resemblance to one another, in part because of the huge difference in scale.
“It’s very important that the court is recognizing that quantity matters,” said Georgia Tech professor Peter Swire, a privacy expert and member of a panel President Barack Obama set up to review the NSA’s call metadata program. “The court has said that quantity matters when it comes to the content of cell phones. And I believe the court will feel the same way when it comes to massive databases of telephone calls or computer communications.”
A former cybercrime prosecutor said the justices also seemed to recognize that scale of the collection not only gives the government more data, but also the ability to be much more intrusive than in earlier eras.
“The distinction here is more than just the capacity of the device to hold pictures,” said Alex Southwell, now with law firm Gibson, Dunn & Crutcher. “A cell phone is orders of magnitude different, not just in terms of numbers of items held but also in terms of the intrusiveness if searched. The mosaic of information available from seeing the whole of the data is transformative, just like the call records at issue in the NSA program.”
The Supreme Court’s ruling Wednesday in Riley v. California doesn’t say anything explicitly about the NSA’s metadata, nor did the justices mention national security concerns or intelligence gathering.
However, in one somewhat opaque footnote to Roberts’s majority opinion, the justices seem to be saying they are leaving the issue of bulk collection of data for another day. “These cases do not implicate the question whether [sic] the collection or inspection of aggregated digital information amounts to a search under other circumstances,” Roberts wrote.
Even if the justices were to deem the NSA program a warrantless search that goes well beyond tracing calls made on a specific phone line, that wouldn’t mean the terrorism-focused effort is unconstitutional. Instead, the court would have to consider whether the search is reasonable in light of the national security and public safety concerns involved — and justices are often extraordinary deferential to such arguments.