Slashdot Mirror

Kreb's writeup is pretty good as well, not that anyone reads tfa.

http://krebsonsecurity.com/2011/02/revisiting-the-spyeyezeus-merger/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+(Krebs+on+Security)

here.

I bet PoF used double Rot-13 encryption.

See my subject-line above, & these host/domain names, blocked off (via the 0.0.0.0 blocking "IP Address"):

---

0.0.0.0 xtremedefenceforce.com
0.0.0.0 elvis.com.au

---

SOURCE: http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

Also, since this thing is allegedly suspected to be a ZEUS variant:

---

PERTINENT QUOTE/EXCERPT:

"A 75GB cache of stolen data shows that the botnet, which is a variant of Zeus, has been used to steal a wide range of information, including tens of thousands of login credentials -- mainly for financial accounts

SOURCE: http://www.computerworld.com/s/article/9158778/Kneber_botnet_hit_374_U.S._firms_gov_t_agencies

---

?

This MAY come in very "handy" as well:

---

ZEUS TRACKER:

https://zeustracker.abuse.ch/monitor.php?filter=online

---

Symantec uses it

---

PERTINENT QUOTE/EXCERPT:

"Sites such as Abuse.ch Zeus tracker have for some time now been doing an excellent job in tracking Zeus command & control (C&C) servers and hosts of Zeus files.

SOURCE: http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

---

So do I... because it allows you to "keep up/keep current" vs. that botnet C&C servers this thing utilizes.

"Blacklists" (which HOSTS files can function as, but also as "whitelists" too), especially in THIS situation? Work!

APK

P.S.=> So - Simply add those host/domain names, blocked off as shown, to your OWN hosts file (typically located in %WinDir%\system32\drivers\etc, on modern Windows OS, & /root/etc on Linux variants), & what you can't touch, cannot touch (or harm) you - simplest idea for protection in the world! apk

See my subject-line above, & these host/domain names, blocked off (via the 0.0.0.0 blocking "IP Address"):

---

0.0.0.0 xtremedefenceforce.com
0.0.0.0 elvis.com.au

---

SOURCE: http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

Also, since this thing is allegedly suspected to be a ZEUS variant:

---

PERTINENT QUOTE/EXCERPT:

"A 75GB cache of stolen data shows that the botnet, which is a variant of Zeus, has been used to steal a wide range of information, including tens of thousands of login credentials -- mainly for financial accounts

SOURCE: http://www.computerworld.com/s/article/9158778/Kneber_botnet_hit_374_U.S._firms_gov_t_agencies

---

?

This MAY come in very "handy" as well:

---

ZEUS TRACKER:

https://zeustracker.abuse.ch/monitor.php?filter=online

---

Symantec uses it

---

http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

PERTINENT QUOTE/EXCERPT:

"Sites such as Abuse.ch Zeus tracker have for some time now been doing an excellent job in tracking Zeus command & control (C&C) servers and hosts of Zeus files."

---

So do I... because it allows you to "keep up/keep current" vs. that botnet C&C servers this thing utilizes.

"Blacklists" (which HOSTS files can function as, but also as "whitelists" too), especially in THIS situation? Work!

APK

P.S.=> So - Simply add those host/domain names, blocked off as shown, to your OWN hosts file (typically located in %WinDir%\system32\drivers\etc, on modern Windows OS, & /root/etc on Linux variants), & what you can't touch, cannot touch (or harm) you - simplest idea for protection in the world! apk

>so it's the users installing it and not just holes in the system being exploited.

Are you sure about that? The analysis of various crimepack stats posted by Brian Krebs shows that the vector for these infections is usually (in order) Java, Adobe Reader, Flash, and browser exploits. So lets assume you patched these machines using Windows Update. That means you patched any known browser exploits, but the malware writer can still try various Java, Reader, and Flash exploits.

I think the real issue currently is how poorly these app updaters are written. Reader may never ask to do an update unless you manually start it once to install the current version of Adobe Updater. Java, depending on the version, either sits quietly in the tray asking for an update or never bothers. Flash asks at startup sometimes, but it may only update IE, but not Firefox.

For end users who have no clue, which is most of them, these apps should just be set to auto-update without asking. Admins and power users can edit this as needs be. In the meantime, its pretty trivial to infect a machine. Almost no one makes an effort to patch these apps.

I don't believe the problem is PEBCAK as we like to think. Browser plugs are a serious issue. They're just not being updated.

I fight fud with facts:

http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

Java is a risk and isn't worth installing let alone running as a plugin on a browser.

A job awaits me after I graduate from Cash Paradise University! With classes like "Botnet or How to Get My Own Bank Accounts" I'll never need to learn math!

That's a good point, but the screenshot does look pretty reasonable. It could have been done a lot worse, but it looks like they're at least acknowledging the trust issue.

That being said, it's not difficult to figure out which ISP a certain IP belongs to and for someone to forge these things.

DEP is configured correctly in Win 7 by default. And isn't there a funktion called ASLR that should prevent the attacker to know were to strike?

Concerning these features, I find these findings... strange:
http://krebsonsecurity.com/2010/08/anti-virus-products-mostly-ignore-windows-security-features/

Even if ASLR and DEP aren't working perfectly: Why someone building an AV-product does NOT use these features in order to make it harder for the attacker to circumvent the AV solution is beyond me.

Brian Krebs has a better writeup:

http://krebsonsecurity.com/2010/08/networksolutions-sites-hacked-by-wicked-widget/

Essentially, the malware delivered a popup that looks like a screen from a popular Chinese chat program. I believe it pretends to be an update. So, this is just a trojan. No vulnerability was used, well, other than the one sitting in the chair.

Brian Krebs is the go-to guy for backstory on the mules. Mules have to look "honest" to a banking system so they are really the tech-savy unemployeed being exploited by mafia.

In a more depressing story the cost of Online fraud is charting to be almost 1B USD in a few years

Nobody is reporting that this is not being shown on the balance sheets ... where are the Untouchables when we need them.

Brian Krebs is the go-to guy for backstory on the mules. Mules have to look "honest" to a banking system so they are really the tech-savy unemployeed being exploited by mafia.

In a more depressing story the cost of Online fraud is charting to be almost 1B USD in a few years

Nobody is reporting that this is not being shown on the balance sheets ... where are the Untouchables when we need them.

Some other great pics:

  * http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/
  * http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/
  * http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/

Some other great pics:

  * http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/
  * http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/
  * http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/

Some other great pics:

  * http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/
  * http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/
  * http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/

Thepiratebay didn't salt their hashes. This site deserves to die.

Yes, you do get your money back eventually. According to one of my sources, the banks are obligated to replace the funds in two weeks.

In practice, it may take longer.

I was hit by a card skimmer last year. It took over three weeks for Bank of America to replace the $500 stolen from my account. (I never got the $3 foreign ATM fee back, FWIW.)

As LostCluster points out, having an empty checking account when you're not expecting it can put you in a tight spot with your landlord/mortgage holder, etc.

I didn't RTFA, is there a list of unsecure apps?

Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and Winamp - no DEP/ASRL Flash player - ASRL only
Adobe Acrobat Readder - DEP only, but DEP can be circumvented
Firefox - DEP only
http://krebsonsecurity.com/wp-content/uploads/2010/07/depaslr-236x300.jpg

Brian Krebs posted on this very topic about three months ago, recommending BitDefender among several other standalone anti-malware packages. Most of the links he provides are for Live CDs, but many of them can be run from a bootable USB as well.

When it comes to security, even hackers admit we're doing a better job making our products more secure than anyone else.

Hint: Your worst nightmares do not have open jovial dialogues with you. And if they did communicate with you or offer you a score card or report, they would want you to feel as though you are completely safe -- totally unaware and unprepared for what you may face.

You've come a long way, Microsoft, but you have much much further to go. If you measure security by percentage increase in security then the evolution from Windows 95 to Windows 7 is nigh impassable. But that in no way means you're number one in the security scores. Run your marketing campaign with setting the "facts" straight but people like me know. With what little (journalistic) evidence you presented, there's no way I can build a conclusion that backs up your statement. And there's no way around that. It would better prepare you to look into the several thousand anecdotes found daily revealing the issues with Windows and Internet Explorer.

Dear Slashdot:

I submitted the above story this morning and was pleased when it was accepted for publication on your website.

However, I was a little peeved to find that the link I included in the story - was substituted in the final story with this one

Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place.

Any chance of swapping the link back?

Slashdot seems to "favor" krebsonsecurity.com for some reason, and might have some behind the scenes agreement with them to shove traffic to them artificially. Please don't operate under any assumption that the /. "editor" staff is going to be fair and objective. They have their agendas, and have certainly rewrote submissions to suit their purposes in the past.

Dear Slashdot: I submitted the above story this morning and was pleased when it was accepted for publication on your website. However, I was a little peeved to find that the link I included in the story - was substituted in the final story with this one Obviously this substitution removes any benefit whatsoever of my having taken the time to write the blog post and submit it to slashdot in the first place. Any chance of swapping the link back?

Same thing happens in the US.

http://www.schneier.com/blog/archives/2010/02/another_debit_c.html

Never, never, EVER punch your PIN into a pad that is not attached to an ATM machine that is owned by your financial institution. And even then, pay close attention.

http://www.krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/

Cash is looking better all the time.

OK so this is how it works. There are websites out there like these which allow you to quickly check your newly infected EXE against all the main AV products out there. Signature based AV is basically obsolete because there are lots of programs out there that will happily scramble your EXE for you, in the scene these are known simply as "crypters" and you will find many people in the PPI world advertising their crypter as being FUD (fully undetectable). Good article on this here. Of course with enough downloads eventually somebody savvy will catch on, unless your work is really good, and then your binary and uploading IP address are usually banned. At which point they do exactly what you'd expect - spin a new binary, get a new IP address and do it all over again.

If you're relying on only 15-20 other downloaders to certify something as "clean" and you regularly download warez you probably already have a rootkit on your system and have no idea it's even there.

I don't know about Europe, but in the US banks eat the cost for someone vacuuming out a personal account. Businesses are on their own, however. See Krebs on Security for fun details.

Explanation here.

Here's another story, with many comments: New Patches Cause BSoD for Some Windows XP Users.

webmoney, oh, right, mentioned @ http://www.krebsonsecurity.com/2009/12/virus-scanners-for-virus-authors/

right.