Archive for February, 2008
February 28th, 2008 by Robert McArdle (Threats Analyst)
Identity theft — the crime that people think happens only to other people.
Most people I have talked to about identity theft have been mildly concerned, but normally think that it is not something they themselves should worry about. After all, they tell themselves, “I only use the Internet to check my email and occasionally buys things — what’s the worst that can happen?”
I would imagine that is exactly what a fellow Irishman who uses the eBay handle jopsoup was thinking as he strolled into a local Internet cafe to check his email, only to find that he owed $3,002,150 dollars. I would also imagine that he had quite different opinions of identity theft when he got up to leave.
It appears that this man’s eBay account details had previously been stolen (most likely from a Trojan monitoring for passwords that could have been installed in the same Internet cafe he always frequented), and had been used in the winning bid on a massive collection of music being sold on the well-known auction site. The collection on its own is quite impressive with over 300,000 CDs (that’s 75 16Gb iPhones for all you youngsters out there).
The UK Home Office estimates that identity theft cost the British economy £1.7 Billion over the last 3 years, figures that have been echoed by other governments around the world. The fact is your data, no matter how trivial, can be very valuable if it falls into the wrong hands. Let’s be careful out there — the Web can be a dangerous place and and just as you would when exploring a new city or town, it pays to be prepared and protected before venturing into it.
February 27th, 2008 by Paul Oliveria (Technical Communications)
In the security industry, Italy is probably best remembered for three things: the gay porn worm that hit the Italian senate in 2004, the Gromozon/LINKOPTIM event (2006), and more recently, the Italian Job (2007). Not surprisingly, other attacks followed (see this, this), and for the past couple of days, TrendLabs researchers were again alerted of a couple of malicious activities that seem to be trying to make their own marks — however bad — on the said country.
The first attack is a slew of email messages purporting to be coming from “CAFF” (Comando Antifrode — which, by the way, is a non-existent organization), asking the recipients to go to a very legitimate-looking Web site because the said recipients are supposedly under investigation. Unbeknownst to these recipients, the Web site contains links that download a malware.
This incident comes on the heels of another incident TrendLabs has been monitoring because it appears to be taking a page from the Italian Job. Research Engineer Juan Pablo Castro came across several Italian Web sites that were hacked and inserted with a folder named portal_memberdata/portraits/{random string} in order to redirect users to adult site or fake pharmaceutical sites, among others.
Upon further investigation, it was found that all the compromised sites were created using Plone, an open-source content management platform. Juan Pablo believes that the miscreants took advantage of a vulnerability in the said platform (there have been some discovered before, such as this one, according to AusCERT) to perform the abovementioned redirection routine.
Trend Micro already blocks malicious URLs and detects malicious files related to these recent attacks.
February 27th, 2008 by Macky Cruz (Technical Communications)
We have recently blogged about big botnet contender Mega-Dik, to remind people of the pervasiveness of botnets today (and that Storm is not the only force to reckon with in terms of illicitly-acquired distributed computing power).
It is thus with great cheer that we pick up this report from Calgary Herald’s Ravensbergen. After observing the activities of the suspected hacking ring in an investigation stretching as far back as 2006, the Quebec police, headed by Capt. Frederick Gaudreau, was able to apprehend 17 people (ages at 17 to 26) in raids conducted almost a week ago in 12 towns across the province.
By using remote-access software, these people (one of which is a 19-year-old woman) were able to extend control to around a million computers in more than a hundred countries. Zombified computers were made to conduct various spamming and phishing activities on behalf of the bot masters. Victims of this gang were from Poland, Brazil, Mexico, Manitoba and the US, amongst others, and the estimated total damages to governments (which the police choose not to name as of this writing), businesses and homes, was pegged by Gaudreau at $45M.
The suspects to these computer-related crimes enabled by the botnet are set to appear in court today to answer charges for illegally obtaining computer services (10 years max in jail), but more may follow after forensic analysis of hardware confiscated during the raids. The entire operation consumed a lot of manpower as hundreds of Quebec police and Royal Canadian Mounted Police officers were said to have worked together to take this group down. But in any case, this victory only goes to show the seriousness with which authorities across the world are taking crimes committed online.
Other news sites report this bust here and here.
February 27th, 2008 by Edgardo Diaz, Jr. (Threats Analyst)
A malware removes rootkits? There has to be a catch here.
Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components.
The rootkit, which is basically a device driver, is dropped by a malware to remove the following hooks on the affected system:
- System Service Dispatch Table (SSDT) Hook
- IRP and Device Hooks for the following sys files:
- Ntfs.sys
- Ndis.sys
- Tcpip.sys
- Ipfltrdrv.sys
Removing the mentioned hooks removes Create Process Notify and Create Thread Notify routines on the affected system, hiding the malicious processes and threads executed by the malware.
This is also used as a component for updating the rootkit itself and to infect the system again with its malicious routines.
Below is an example scenario of how RTKT_PUSHU.AC executes its routines:
The first screenshot shows two rootkits that have been installed on the system. WINCOM32.SYS, detected by Trend Micro as TROJ_DORF.AA hooks SSDT for file and registry hiding. RUNTIME.SYS on the other hand is detected by Trend Micro as TROJ_ROOTKIT.DU and hooks IRP of TCPIP.SYS for port hiding. Also shown is RTKT_PUSHU.AC, also installed on the system as IP6FW.SYS.
Upon execution, TROJ_DORF.AA and TROJ_ROOTKIT.DU goes into action:
TROJ_DORF.AA hooks the SSDT as shown below. This fakes outputs of function calls made to the services provided by NTOSKRNL. Doing this enables the rootkit to hide certain processes and files on the affected system.
As a result, the file WINCOM32.SYS, detected by Trend Micro as TROJ_DORF.AA is now unseen, as shown in the screenshot below:
On the other hand, TROJ_ROOTKIT.DU hooks IRPs related to TCPIP.SYS, as shown in the following screenshot:
As a result, TCP ports on the affected system are now hidden:
Now, upon the execution of RTKT_PUSHU.AC, the hooks on SSDT are no longer there:
So the file WINCOM32.SYS detected as TROJ_DORF.AA is now visible again:
The IRP hooks related to TCPIP.SYS are gone as well:
This results to the revelation of the previously hidden ports:
The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.
February 27th, 2008 by JM Hipolito (Technical Communications)
A sequel to the old “pay up or we’ll kill you” scheme has recently surfaced, getting publicity from various Web sites.
This scam that seems to have begun back in April 2007 started out in various forms but with the same MO. It comes as an email message from a person who claims that he has been paid by someone to kill the recipient. The supposed “killer” then asks the recipient a certain amount of money in exchange of their life. Messages were reported to contain the following:
Subject: BE MORE CAREFUL
From: “BE MORE CAREFUL”
Reply-To: william1111@live.com
To: undisclosed-recipients:;
I am very sorry for you, is a pity that this is how your life is going to end as soon as you don’t comply. As you can see there is no need of introducing myself to you because I don’t have any business with you, my duty as I am mailing you now is just to KILL you and I have to do it as I have already been paid for that.
Someone you call a friend wants you Dead by all means, and the person have spent a lot of money on this, the person also came to us and told me that he want you dead and he provided us with your name ,picture and other necessary information’s we needed about you. So I sent my boys to track you down and they have carried out the necessary investigation needed for the operation on you, and they have done that but I told them not to kill you that I will like to contact you and see if your life is Important to you or not since their findings shows that you are innocent.
I called my client back and ask him of you email address which I didn’t tell him what I wanted to do with it and he gave it to me and I am using it to contact you now. As I am writing to you now my men are monitoring you and they are telling me everything about you.
Now do you want to LIVE OR DIE? As someone has paid us to kill you. Get back to me now if you are ready to pay some fees to spare your life, $30,000 is all you need to spend You will first of all pay $15,000 then I will send the tape to you and when the tape get to you, you will pay the remaining $15,000. If you are not ready for my help, then I will carry on with my job straight-up.
WARNING: DO NOT THINK OF CONTACTING THE POLICE OR EVEN TELL ANYONE BECAUSE I WILL KNOW.REMEMBER, SOMEONE WHO KNOWS YOU VERY WELL WANT YOU DEAD! I WILL EXTEND IT TO YOUR FAMILY, INCASE I NOTICE SOMETHING FUNNY.
DO NOT COME OUT ONCE IT IS 7:PM UNTIL I MAKE OUT TIME TO SEE YOU AND GIVE YOU THE TAPE OF MY DISCUSSION WITH THE PERSON WHO WANT YOU DEAD THEN YOU CAN USE IT TO TAKE ANY LEGAL ACTION. GOOD LUCK AS I AWAIT YOUR REPLY TO THIS E-MAIL CONTACT
Other variants of the message mentioned above contains the same message, only with different amounts of money being asked for by the sender. Here’s a sample email of the scam:
This scheme is fairly old, but still does not eliminate the possibility of someone falling for it. Trend Micro advises recipients of an email message similar to the shown above to ignore the said message.
Next Posts
Previous Posts
