zeus

  • Humo, libelle, telemoustique were lucky, others still sleeping malware agents for nemohuildiin.ru

    first not all sites or pages that are shown in googledorks are in fact still infected, the reason is that they didn't indicate to Google that they were the owners of the domain and that Google didn't came back after the clean-up.

    But it does show that these sites were injected with this kind of scripts and maybe haven't reviewed their securitypolicies and can in future again be abused.

    If you read the post on the Internet Storm Center that is it interesting that those infections for the moment were not only very professional but they didn't load any malware... untill when. When you take into consideration that the site in question is on the list of the Zeus Botnet command and control servers, you can only assume that they were building a new network for a new attack (linked to spam that would have sent their users to these pages on these normal trustworthy popular websites of popular magazines). Or that some of the network has been disbanded or overtaken and that they couldn't get access to their infected 'sleeping cells'.(terrorism language)

    and this advice you should post on your wall somewhere

    "SQL injection is bad and something people need to avoid by developing web applications safely. There are some tips for this:

    • Sanitize input data: Input entered from the user should not contain any sql sentences or commands at all. Check for good data by validating for type, length, format, and range.
    • Use store procedures: Your web application should have predetermined SQL sentences for data access. If the user request some specific information, the application invokes the specific store procedure, so there is no possibility of crafting dynamic SQL request.
    • Use an account with restricted permissions in the database. You should only grant execute permissions to selected stored procedures in the database and provide no direct table access.
    • Avoid disclosing database error information. Make sure you do not disclose detailed error messages to the user, because detailed error information shows the attacker where to check if the attack was unsuccessful."

    http://isc.sans.edu/diary.html?storyid=9397

     

     

  • what should zeus v4 do

    If I was the criminal than I have the following problems to solve

    First I need to send all the instructions and false logon pages from the first infection and not afterwards. The lesser connections I have the better.

    Secondly I would need to have moneymules in the same country as the user because if somebody never sends money outside his country the bank may halt the transaction.

    Thirdly I will need to get the logins for his email so I can send or intercept emailalerts coming from his bank (or confirm them). In the last case it becomes very hard for the individual to proof that he didn't do it. Having his phone number and sending an SMS confirmation or intercepting it would be also nice.

    Fourth I would like to send all the stuff over to my server or my fastflux botnet just after the secure connection with the bank.

    Fifth I would like to destroy myself and every fingerprint of my existence.

    as a commentator pointed out, each of these things are already more or less possible in Zeus. Maybe every group uses its malware differently and some are more efficient than others. This makes this tool a bit more interesting and dangerous if it falls in the wrong hands.

    The comments about the quality of the analysis of M86 I leave for him but it is the only thing available right now. I hope that in the near future more analysis would be available and that would answer some strategic questions about the presence of securityware, about the detailed process and techniques and about why the bank didn't see it happening. The details are also the most interesting part of the analysis and I love to see more details coming out. For the moment it is just bits and pieces and a lot of rewriting, copy/paste and relinking.

  • Zeus version 3 and the individual user and his bank

    With this infection is becomes very difficult for the user to prove to the bank that he didn't do these transactions and that he shouldn't take any blame or puhishment for them.

    The bank supposed that it was him because they only saw his login from his IP adress and Macadress and with the additional passphrases. Some banks can really be a damn nuisance when it comes to accepting that it can be that the post of the client was infected and that the transaction happened from ON THE PC of the client and from some other operator somewhere in Eastern Europe or China (easy to detect and stop).

    This will make it a legal nightmare for the banks and the consumer organisation because even if a client installs securitysoftware and even if he is careful and only visits normal sites (like Humo.be and libelle.be in Belgium) he can still be infected and redirected in a  normal secure situation you can imagine from a normal computeruser.

     

  • the big bad wolve Zeus and the three piggies

    THere were three little piggies who wanted to build a website to keep their money safe from the big bad wolve Zeus.

    The first did it all by himself and just set up some http forms and for the rest didn't look much after security.

    This webservice was blown away by the first attack by the Big bad wolve Zeus

    The second went to a professional webbuilder and hoster and used some sort of SSL and had some other antifraud mechanism but because he wanted to be userfriendly he didn't insist too much on the security of it all.

    It took the big bad wolve Zeus some time but he attacked and penetrated the system anyway quite easy and dramatically after some tests.

    The third piggy did even more than that and just didn't mind about the customers. His customers just wanted to be safe and would understand that that was the most important thing. His security staff and his security investments were quite substantial but so was the growth of his business as those from the other piggies were coming to him because the other online services were blown away one after another.

    The big bad Wolve Zeus is camping outside his infrastructure, observing every step, scanning for the most unimportant leak or whole to use but without much success. Most of the time he goes away blowing away houses from the other piggies. But as he sees all those customers flee to the third piggy he goes back there from time to time, just to test because you never know.

    But the builders of the third house see him coming every time and are always on their alert, paranoid as they are that the big bad wolve is out there somewhere waiting to take also their house apart. Only each of them says 'not on my watch' and at the end of the day they are quite happy about that.

    ps this also goes for hackers and sql injectors and infectors

  • Did Zeus attack the most vulnerable online banks

    You can't tell from the fame or return of a bank if its online operations are safe or not. There are a whole lot of other things to take into consideration. Some big banks have some really stupid configuration (for example in their SSL leaving MITM renegotiating open which was used by Zeus)

    So the botnet crimemasters did only attack specific banks in specific countries.

    Why these banks - as we don't know yet which bank was attacked. And maybe that is understandable because its online reputation would be just squashed and it would be forced to invest millions in infrastructure to be able to be trustworthy again.

    Maybe this is the darwin process of online security. The botnets will kill the unsecure ones, one after another and only those that adapt and do the right things to stay secure will survive.

    So the risk for the online financial transactionbusiness is changing.

    Secure yourself or be killed by a botnet or several ones.

    I don't know, just an idea

     

  • Zeus botnet : humo, telemoustique, flair and other belgian sites are taking big risks

    the last couple of weeks and yesterday some forums and articles of these sites have been infected with malware or redirects to malware. They have cleaned it up but it is not clear if they have done the necessary changes to make it impossible to be abused again.

    These websites are highly trusted by the visitors and are quite popular by a wide segment of the online population. Their users are not necessarity IT educated and it is not necessary that they have the necessary protection and knowledge to stop an infection. The only reason they can get this infection is by visiting those pages. I know that a lot of people who visited these websites were redirected to Russia.

    That is why I contacted the CERT.

    Blocking russia and china on your network is not a bad idea if you don't need it. In the 9 years that I have done so it has prevented so many infections that I have stopped counting them.

    But the risks for these firms are enormous. They are belgian sites with mainly belgian visitors who use mainly Belgian financial institutions who all fall under the Belgian law in which the principle of working as a good father is more or less sacred.

    THis was a financial information stealing botnet that is of the highest quality and is not stopped by most securityware available now and has proven to be effective.

    Anyone did any risk assessment over there ? Reputation damage ? Loss of business if browsers start blocking the sites alltogether because unsafe or because the online reputation is too low or because Google blocks the whole site ?

    You have three options that even may work together

    * place a WAF Web application firewall before your sites if you can't upgrade (it has to protect also against injections, xss, cross domain manipulation, malvertising, redirects etc....)

    * close down all the comments and interactive functions that aren't popular or needed and if you keep them don't accept any code, images, active links and put on a word filter (viagra, porn, ......) and look for a service provider to clean them in real time around the clock (a big business in France I have read). Clean also all your pages from any older posts that are in english and spam or bullshit (or just throw them away - you won't be the last to destroy all the comments in one time claiming to clean your site for securityreasons).

    * monitor all pages of your site for changes and new pages with a specialized tool (especially if you have an enormous number of pages or when they come from a database). Those changes may in some cases be sent to a firm who monitors the changes (see above) and approves them or put them on hold (hacks, injections, spam).

    Because once they know that you are injectable than you will be attacked again.
    It is like with website hacks

    Once hacked, always attacked untill you are hacked again.

    Except if as a good housefather you do the right thing and you can't be held accountable afterwards because you have done what you are supposed to do if you want to deliver to your visitors and your advertisers a secure and clean online environment. And if after all that, you get still hacked, spammed or injected you have at least done what you should have done and it will be hard to make a legal case against you. In the other case, you are taking a gamble. When you gamble you can win big and ..... lose big.  The question is if it is worth it, the risk.

  • the one big vulnerability of the Zeus botnet money stealing process

    If you read the M86 report in a process way of kind (what happens when how) than you will see the following weak spot.

    When the user logs in to a particular bank the malware sends a command to the botnet server in Moldavia that sends back a fake adapted logon screen and receives the logon and sends instructions to the bank

    let's define that otherwise

    when the user is logging on to the bank another application on the PC of the user connects via the firewall of the user to a known botnet command and control center of a botnet and sends, receives and resends information and commands

    this means that to stop this from happening

    * financial and other instructions have to take place in a clean feed or after a separate logon to the ISP (where you can only logon to certain secure services and there is nothing else possible)

    * connections to secure logins have to take place within a special application (eventually updated and controlled by the ISP) that make a direct tunnel between the application and the server and makes the firewall drop all other traffic untill the application is closed down.

  • Malvertising was also used by Zeus to distribute itself in the UK

    When you are reading the report from M86 about the new Zeus botnet than the question that you ask yourself is how were they able to infect only users in the UK (for 90%) and than launch their targeted attack against one bank in particular.

    As the team from M86 forced itself access to the Control and command server they saw that the referers of infected posts to that commando center came from banners and ads that were distributed by real online advertising agencies. And even if the names are blurred, it are not only small businesses.

    It means that you will have to be very careful by responding as a webmaster to offers that seem to good to be true because you may unwillingly have become part of a malware distribution network. Say a fake virus distribution pays 10 dollars for each installation. But you will never deal with that illegal operation directly I suppose. But say that a banner agency says it will pay your normal highly visited site a dollar for each click (not even installation). That sounds to good to be true for most of them. The distributor of the fake virus has only to convince or infect 2 out of every 10 visitors to make money while he is sleeping and going on holiday.

    It also means that the online firms that are resonsable for the distribution of banners - how big they even maybe - will now have to set up a rigorous testing and controlprocedure before the ads are launched on the sites. Only the banner distributioncompanies that do that will survive. The others will be blocked as malvertising because they won't be trusted enough and as an advertiser you don't want your ads to be distributed by a firm that is blocked worldwide because of malvertising and infections.

    There is also the problem of responsability. Take that a visitor of my site complains about an infection it had through a banner. I am not responsable because I don't have any control over that content. I will turn to the online advertising company. They may try to turn that to the advertising who inserted the malvertising in their networks, but there I say Good luck, you will maybe able to prosecute one russian or Chinese in a thousand.

    Browsing without banners and advertising becomes now even more interesting - which means that if the online advertising business doesn't clean up its act it will simply kill itself. And this will have an influence on the survivability of free content and the free internet an sich.

  • FAQ for users about the Zeus botnet

    I have an antivirus. Is that enough ?

    No. Most antivirus products can't protect against those infections. The detection levels are quite low. The free Microsoft Essentials seems for the moment to do the trick. You can install it alongside your other antivirus

    How can I see if I am infected ?

    It seems that this version of the infection blocks the updating of the windows stations. As there are now a lot of windows patches to install, please go to http://update.windows.com and try to update. If you can't install any updates, than there is a big chance that you are infected with something.

    If you have a firewall, you should block all outgoing connections and open them one by one. This takes some time, but normally you will that a connection is connected to a certain software and if you don't know the software, you shouldn't be sure to let it go out.

    The proxy tries to connect to some servers in Eastern Europe.

    I have a Mac I am safe


    Not necessarily as the infectorsites also attack macintosh software like Safari

    I have a virtual environment so I am safe

    Not necessarily, this is under investigation.

    I don't go to bad sites, I can't get infected

    There are at least 40.000 pages of normal websites infected with scripts that will send your browser to sites that will try to infect your computer.

    I use Firefox or another browser than Internet Explorer, so I am safe

    The attacks against the computer are not only against several browsers but also against readers of popular programs and files like flash, adobe pdf reader and so on. You may be sure that you  will have those on your machine and they should be updated. You can test this with the free software monitor from secunia. 

    When I log on to my bank, should I take certain precautions
    Yes. You should stop any other program on your PC - apart from your securitysoftware.
    So, no chat, P2P or downloads, FTP or http, or any other site open and be logged out of all other sites.

    Secondly you should type the logon address of your bank manually every time.
    You don't click on links or on favourites. You are never sure what is behind them sometimes.
    You should read slowly the link that you have in your browser and control it with the link
    you have somewhere on paper. If there is any difference because you are redirected you stop.

    for example   www.mybanklogin.com  and www.mybanklogins.com (in russia)

    If I am a bit paranoid is there anything else I can do

    You could log off your computer especially if you were administrator and let the computer go totally out for a minute. When you restart you log back on as the most limited user possible.
    You than look for updates of your computer, securitysoftware and most popular applications.
    You scan the computer for viruses and if there aren't any you open a browser.
    You make sure that the browser is put in highsecure and that you have a noscript addon running

    When I log on to my bank, it is in SSL so I am safe

    Doesn't mean a thing for this new virus, so go on

    I can only logon with an ad random password

    Doesn't mean a thing because it intercepts anything.
    If your bank or secure connection does only use a logon than there is a problem.
    It is not tested yet but maybe the virus can't interfere if you have a special application on your pc that makes the connection for homebanking or when you have to use your EID.
    It would be interesting to test that.

    What should I do during my transactions ?

    First you should stop all action and log off completely if you see that something is not normal with the computer or with your account. If you have lost a lot of money since the last  logon you don't close down the computer but call the police. Shutting down the PC may make the  proof or virus disappear. Before the police takes your computer with them if they can't make a virtual copy, you should ask them to if you can copy a certain number of files you need. Take into consideration that it is an infected computer and that you should test that backup with more than one antivirus and securitysoftware to have some assurance that it will not infect other stations.

    Secondly use all the controls and limitations that the bank may give you. Alert via email, sms blocking certain accounts, transactions or amounts. It is better that those may not be changed online.

    Take screenshots in PDF (use a PDF writer incorporated in your browser) of everything you want to do. THis is before and after. THe situation of your account before you start the transaction and the transaction and the situation afterwards. Give every PDF file the date and eventually the name of the transaction. Safe those to a folder in which you keep those files and give them a stupid name.

    I do that everytime. After a while I burn them to a disk and delete them from my computer with a sureshredder. Do not send them with your mail and if you do do not keep them there.

    Change your password often

    oh
    xp sp2 and windows2000 can't be secured
    so is internet explorer 6

  • some questions and thoughts about the bank robbed by Zeus botnet

    If more than 40.000 pages worldwide are infected with a redirector to an infector
    and already one bank has lost a million Euro in fraud, than this is a crisis.


    1. The free securitysoftware


    The bank in question gave its users free securitysoftware.

    If the user didn't install it and didn't install any securitysoftware is the user responsable (for a part) because he didn't secure himself enough (for free).

    And even if he didn't shouldn't the bank have refused access to its financial transactions (maybe looking but not 'transacting') because no securitysoftware was installed while the bank was giving it away for free.

    But take for a moment that it is true that there were also 3000 apple computers infected, for sake of the argument. If the bank didn't foresee a securitysoftware for the other operating systems shouldn't it be considered irresponsable ?

    And consider for a moment that people installed it but that the product was causing problems on their pc's with other software or sites, do they have the right to desinstall it and install other securitysoftware ? And shouldn't the bank prove that it has taken all those considerations into account during the selectionprocess of the product (and not a selection solely on the basis of price).

    And consider for a moment that someone did install the securitysoftware and that the virus was not discovered by the securitysoftware - even when it was installed in its most secure and updated role, what are the responsabilities of the maker of the securitysoftware - taken into consideration that the services are for clients of a financial institution that need the uppermost security during those transactions.

    And consider that the best of practices and pre-configured installations were not too hard to make it not too difficult on its client, who is than responsable ? THe marketing department that argued against the security (paranoid) department.

    And can we say that this distributed product (whatever the version) is enough for today's online  financial institutions if one reads that the virus could stop the windowsupdate, install a proxy and send traffic to a server in Eastern Europe ?

    2. THe interception itself

    It looks as if the users were confronted with a new logonpage in which instead of filling in the ad random numbers they had to insert the whole code. Did the bank enough to warn its users against such attacks ? Did the bank invest enough in security awareness ?

    When the bank saw that people instead of sending over just some parts of the code, inserted the whole code, what did it do ?

    3. THe money transfer

    Shouldn't the bank ask for a confirmation by email or other means (sms) or letter or invitation to the local bank (big sums) before transferring the money. I know there is a culture of the instant but that also makes instant theft possible. Sometimes it is better to have some controls or to give the user the possibility to activate them and to set the limits for which he wants those controls.

    Shouldn't the bank give the possibility to limit the number of accounts that you want money send to. For example apart from the utilities, my creditcard and some other big payments there are no moneytransfers I do (and I don't do online banking....). Why would money be transferred to an account I have never before paid something to ?

    The bank didn't see it happen because the sums were too low for the behavioral controls and the sums that were sent to each money mule were also limited (so the global analysis didn't trigger any alerts). Also the sums were transferred when there was a certain sum on the account so it probably happened after payday. This is a moment at which many people have the biggest transfers of the month.

    When did the user see that the transfer was done and what did he do and did the bank believe him that it was a virus and that he didn't agree to such a transfer. When that mas made clear what was done inside the bank with that information.

    4. THe discovery

    It was a securityfirm who found out about it by luck. Did they wait too long before alerting the bank or should they have gone immediately to the police ? They have said that it was quite a task to get the  right information to the right person at the bank ? Should the bank have a clearly advertised cybersecurity or CIRST department where securityresearchers, branchmanagers and users could send their questions and  their findings ? This service should be available around the clock like any emergency service.

    If the cost is too high for one bank it should be set up for the whole sector and be funded.

    5. The information

    Who informed the users and what was said to them ?

    From one response it is already clear that the bank asked him to get a new login with his compromised login.

    When was decided to block certain users or accounts and what kind of digital evidence will be used.

    How can the users have enough trust in the online transactions if the security installation is not upgraded
    and the monitoring re-inforced.