Bank Accounts Vulnerable For Victims of ZeuS Trojan Variant 'Gameover'

tsu doh nimh writes "Organized crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to prevent victims from noticing simultaneous high-dollar cyber heists, the FBI is warning. The thefts, aided by a custom variant of the ZeuS Trojan called 'Gameover,' are followed by distributed denial of service (DDoS) attacks against banks and the victim customers. The feds say the perpetrators also are wiring some of the money from victim organizations directly to high-end jewelry stores, and then sending money mules to pick up the pricey items."

Re:Still clicking the links in emails?

You go to a legitimate page which has been compromised, or is hosting adds and the add site has been compromised. The page attempts to exploit your browser, usually with a disclosed vulnerability. If you haven't applied that latest patch you get knocked over without clicking any links.

After any big even there are usually malicious sites near the top of the Google rankings which will attempt to exploit any one who lands on them. After the tsunami in Japan there were fake news results in the top 10 with in 2-3 hours doing this.

Re:Still clicking the links in emails?

[DrgnDancer]

SEO=Search Engine Optimized. So it's like this. Your Flash Player is a month out of date and has a secuity hole. You search for a popular term. Maybe something game related, or porn, or whatever. Bad guy has a carefully crafted page that has been SEOed to appeared fairly high in the rankings for your popular search. The exploit is in the Flash on the page. You don't have to do anything except click the link (which seems perfectly legitimate).

Of course if you've got No-script or Ad Block, you're probably fine, but most people don't use stuff like that. See above for "People expect their computers to be tools" rant. What they did might have been mildly stupid: They should upgrade their plugins, they should read links more carefully, they should use some kind of script blocker, but it falls well within what most normal users would consider reasonable. Still infected though.

Re:Still clicking the links in emails?

[Em+Adespoton]

A large attack vector for SEO poisoning is image searches. Unless you're running with NoScript or JS disabled, all you have to do is click on the wrong link in a random image search result, and the rest happens in the background. While you're sitting there looking at images of Martin Luther King, Jr. (and wondering why there's a photo of chocolate cake on the page as well, and one of some puppies), a multi-exploit probe script starts up in the background, quickly figures out what OS, browser and general environment you're using (think malware author's version of 'make'), and then downloads and executes an exploit path custom to your configuration.

Of course, the term "drive-by download" does also include the FakeAV stuff that automatically downloads and sits in your download folder, waiting for you to say, "hey, what's this zipfile doing in here with the 'reallysuperantivirus.exe' inside? I guess I should run it to find out!"

Re:Ha! Stupid criminals

[Dunbal]

That is not specific to a country. Any government will do.

We're all nerds here

[ctime]

I can hear the booo and hisses already, but this is a large reason why I fucking hate Windows. Let's be real here, everyone getting hacked by these knuckleheads are idiots themselves (to a degree) AND running windows. But what about this: I just imaged and updated my Windows 7 64 system, only use Firefox, and have Microsoft AV (free) enabled. I was minding my own business surfing the web in what I thought was a fairly secure setup, some random popup or link injected code through what I believe was a flash vulnerability (again the box was only a month old) and installed some fucked up rootkit that MS AV actually found the next day. WTF? 0-day exploits CRUSH windows, despite the UAV etc, some how this shit still gets through. Yes, I could have done probably xyz things to protect myself, which I would believe if I were running XP, but this is a 1Mo old version of 7, automatic updates, and I only use firefox. FML.

Web browsers should run in a VM session that is incompatible with the host operating system on a binary level. This kind of aformentioned horseshit rarely if ever happens to everyday average normal guys just browsing the web on their Macs or Ubuntu boxes. Also, fuck it, I'm only browsing the web on a Linux image from now on on this Windows box (and just for reference the box is only used for gaming, occasionally slashdot raging)

Re:We're all nerds here

[ledow]

"Web browsers should run in a VM session"

Or just have proper isolation and not ***execute*** random code at all.

The problem with Windows is not necessarily programmers, it's the design and the expectations of its users. For some reason, if your email client doesn't automatically execute and display that Powerpoint presentation without warnings, people get annoyed. If the Flash/Java sections of a website aren't seamlessly executed as they load people think things are broken. If the executable they download isn't immediately installable, they question it. If their Word macros don't run when they open the documents, they complain.

The "saviour" of other OS is really the culture (because we're not immune to the same things happening on Linux, etc. you know?) - You *can't* execute code without the execute bit set, and users of the system know WHY that is, and they are careful about what they apply the execute bit to (and we don't put up messages that say "Hey, this isn't executable, shall I do it for you?").

Is there an equivalent concept of "non-executable" on Windows that's usable in an everyday environment for random users? Not really. The nearest you get is Software Restriction policies, but they are a nightmare to manage and nobody uses them (and even then it's still possible to execute random code from the Internet if you just pipe it through a trusted program, e.g. a Word macro).

If you use a decent browser with the correct security, Flash/Java apps appear as nothing more than a play button that *YOU* decide to click and ZERO code is executed from that app until you do (and you'd be amazed how many play buttons I see each day just browsing ordinary websites that I *NEVER* click on because I stop noticing they are there unless I've gone to something that I understand NEEDS to execute a Java app for whatever reason).

Why a web browser NEEDS to run executable code to do its job, I'll never understand - it's nothing more than a renderer, like Ghostscript, except you don't see Ghostscript executing in-built shell commands or machine code in the Postscript its trying to render (though even that's had its fair share of problems, they are NOTHING compared to a browser flaw). Does Internet Explorer even have options to let you selectively load Flash/Java? No (and even on Firefox, it's an additional plugin). Opera has it available by default, though.

Hell, Intel, nVidia, Windows Update etc. encourage you to run an ActiveX or Java app so they can "detect your hardware" to choose the best drivers - does that not throw warning bells to people about how much access it would have to the system if you allowed it? And because it's the largest companies (and even the suppliers of the damn OS) that encourage it, people think that's okay.

The problem of viruses is NOT computer related, it's entirely user-related. Not updating software, not running AV (though I'm against the whole idea of AV, personally, when managing your computer properly works so much better), not clicking Yes, inserting untested storage devices, having Autorun enabled, not having the most basic firewall, etc. The holes that are there are there because of the design / choices / implementation of the OS manufacturer, sure, but they get exploited because of the choices of the user.

The systems that OS vendors have deployed against viruses include anti-virus (the biggest scam of our time, as far as I'm concerned), forcing Autorun off after 10 years of OS deployment, running browsers in separate processes to explorer windows and other ridiculous half-measures.

At no point is there a mention of complete isolation (as in a chroot-style environment - why does a browser EVER need to write to anything other than a single downloads directly that the OS won't let you run programs directly from it?), or of just not executing this crap by default. How many programs actually assign Windows ACL permissions to their folders, for example? Hell, historically WMF's were nothing more than a list of GDI-executed