Albert Gonzales

Albert Gonzales may be taking the majority of the heat (and rightly so), and the full force of U.S. Law Enforcement prosecution, but he is only the tip of the proverbial iceberg.

There is an entire Eastern European organized criminal operation that is further along in this food chain.

In case you haven’t heard, Gonzales and his co-conspirators are responsible for hacking into TJX, Heartland Payment Systems, Dave & Buster’s, and other retailers and payment processors, to steal credit & debit card account numbers.

As Kim Zetter reports on the Wired “Threat Level” Blog, there are multiple Eastern European connections to known organized criminal operations in Russia, The Ukraine, and Latvia (and elsewhere), some of which Trend Micro threat researchers have been tracking for several years now.

Besides these direct hacks of businesses and credit card processors, we have seen a very robust growth in malware which directly targets banking institutions, banking login credentials, malware that piggy-backs banking sessions, etc., ad nauseum, in an effort to steal money. Period.

In fact, the largest growth of malware that we have seen in 2009 has virtually all been geared towards stealing credentials of one sort or another.

This is organized cyber crime at it’s most base form, and it is actually getting worse.

There is a rather long, and twisted history here — especially involving Gonzales and other individual involved in similar crimes, but the real interesting connections lead back to Eastern Europe, especially Russia and The Ukraine.

While I’m not trying to make this incident any more shocking than it already is, the real issues are not being discussed in the mainstream media — luckily, Wired has dug into the background of these issues a bit, and so has Brian Krebs at The Washington Post.

Make no mistake, these issues are very complicated — all “good” criminals make sure that they are hard to track. But not all tracks are invisible.

Trend Micro researchers, including myself, have been tracking this specific criminal activity in Eastern Europe for several years now, and we intend to first, protect our customers, and secondly, try to work with law enforcement and others to identify the criminals.

Trend Micro researchers are hard on the trails of these malicious activities, and when we identify sites that are designed to victimize you, we ensure that they get blocked by the Trend Smart Protection Network.

Make sure you are protected.

Trend Micro researchers not only ensure that our customers are protected, but we also actively work work with International Law Enforcement to  identify the criminal actors behind these crimes.

Don’t be victimized.

“Fergie” a.k.a Paul Ferguson, Threat Research

Just today, we at the Content Security team received a large number of spam with a ZIP attachment that contains a backdoor. The said email informs the user that the product he/she has ordered/purchased online is already sent. It then asks the user to view the tracking document details by opening the attachment.

The attachment is not an Office file, it is instead an executable which Trend Micro detects as BKDR_REDOLAB.AL. This backdoor’s main duty appears to be to download TROJ_RENOS.BAV. Renos variants are known downloaders of rogue antivirus components/software. Our engineers are currently analyzing the capabilities of this Trojan.

Various Web-based infection vectors have been used in connection with rogue antivirus scams. In the last couple of months, rogue antivirus has been the final payload of blackhat SEO attacks (as in the case of malicious links that come up when users searched for news about Corazon Aquino’s death and the latest solar eclipse) and malicious Twitter posts. The last we have seen of malicious attachments that lead to rogue antivirus was in the Reconfigure Your Outlook spam.

The latest spam pattern in the Trend Micro Smart Protection Network already blocks this spam run. The malicious files are detected as BKDR_REDOLAB.AL and TROJ_RENOS.BAV. This entry will be updated for the full behavior of the RENOS Trojan.

It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before.

Earlier this week, however, Trend Micro researcher Rik Ferguson found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s legitimate Facebook profile, as shown below. The links to the malicious site are highlighted:

Figure 1. Facebook notifications page

After entering the credentials, users would then be redirected to Facebook itself. (The posts detailing these findings can be found at the Counter Measures blog; the initial report is here and a follow-up was posted here.)

While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites. The particular site involved in this phishing attack is already blocked by the Smart Protection Network.

Image credits: thanks to Rik Ferguson, Countermeasures blog.

Over the past week, Koobface intensified its Twitter campaign, tweeting a variety of messages instead of the usual one message at a time spam campaign as with the text “My home video : ).”

So far, we have seen more than 40 distinct messages spammed to Twitter. Here is a sample of the new Koobface campaign.

The following list the messages we have seen spammed in Twitter.

Congratulations! You are on hidden camera!
Congratulations! You are on news!
Congratulations! You are on TV!
Hey! Are you really in that video?
Hey! Is that really you in that video?
Hey! You are on hidden camera!
Hey! You are on news!
Hey! You are on TV!
Holly shit! Are you really in this video?
Holly shit! You are on hidden camera!
Holly shit! You are on news!
Holly shit! You are on TV!
Nice! Your ass looks awesome on this video!
Nice! Your ass looks great on this video!
Nice! Your body looks awesome on this video!
Nice! Your booty looks awesome on this video!
Nice! Your booty looks great on this video!
Saw that video the other day… Did you really do that?
Saw that video the other day… How could you do something like that?
Saw that video the other day… How could you do such a thing?
Saw that video the other day… Why did you do that?
Saw that video yesterday… Did you really do that?
Saw that video yesterday… How could you do something like that?
Saw that video yesterday… How could you do such a thing?
Saw that video yesterday… Why did you do that?
Sweet! Your ass looks awesome on this video!
Sweet! Your ass looks great on this video!
Sweet! Your body looks great on this video!
Sweet! Your booty looks awesome on this video!
Wow! Are you really in that video?
Wow! Are you really in this video?
Wow! Is that really you in that video?
You were caught on our hidden camera!
You were caught on our secret camera!
You were caught on our stealthy camera!
You were seen on our hidden camera!
You were seen on our secret camera!
You were seen on our stealthy camera!
You were sighted on our hidden camera!
You were sighted on our secret camera!
You were sighted on our stealthy camera!

All of those messages come with a URL pointing to a copycat Facebook website, which will try to install setup.exe—the Koobface malware.

Trend Micro Smart Protection Network blocks the malicious URLs in this attack so that users never get to download the malicious file. The malicious file, nevertheless, is already detected as WORM_KOOBFACE.V.

TrendLabs experts are regularly asked what—in their opinion—are the most dangerous malware of all time. While the question begs more questions, TrendLabs experts give out recurring answers based on high-level assessments of malware effectiveness in endangering users’ online experiences relative to the technologies available during the time the malware reached peak prevalence. As MSBLAST celebrates its sixth year anniversary of plaguing the Internet, we’ve highlighted the worst we’ve seen so far, along with the runners-up, of which MSBLAST is one.

1. DOWNAD: Multiple Propagation, Multiple Damage – Found in November 2008, this massive threat took advantage of the MS08-067 vulnerability. It spawned several other variants, each new variant an improvement over the last. It impacted LAN traffic in several corporate networks.
   The attack was also notable for generating up to 50,000 domains and connecting to 500 of these, strategically evading efficient domain takedown (or even monitoring potentially malicious sites) and taking advantage of low-cost domain name registration.
2. KOOBFACE: The Scourge on Social Networks – Initially found in August 2008, KOOBFACE leveraged on the connectivity serviced by social networking sites like Facebook and MySpace. It infects user profiles so that cybercriminals are able to break into users’ circle of trust, increasing chances of propagation (infected user’s contacts assume posted links are harmless because they trust the profile owner)
   KOOBFACE possesses a dynamic update capability, allowing it to spread to other social networking sites and perform more malicious routines
3. ZBOT: Organized Information Theft – Also known as variants of Zeus malware, ZBOT Trojan spyware are usually delivered via the Web either by email or Web exploits. Underground research and documented cases reveal it is a thriving business where infected computers give up their owners’ personal information (credit card info) to remote servers / cybercriminals.
   ZBOT variants are especially damaging due to their ever-changing social engineering techniques that are often understated (not sensational)
4. SQL Slammer: Single-Handed Internet Sabotage – This attack is notorious for drastically slowing down general Internet traffic in the early morning of January 25, 2003 (UTC). Noteworthy is the fact that this was achieved despite it being a solitary packet worm in memory, attacking without a file system component, and exploiting an already patched buffer overflow bug in MS SQL Server and Desktop Engine (MS02-039).
   However, what is more notable is that trickling effects of this threat are still being seen in present-day Internet.
5. VBS_LOVELETTER: Internet Love Bug – This attack with a remarkably simple yet effective social engineering (the string “ILOVEYOU” in the subject heading) that triggered curiosity of recipients first plagued email inboxes in May 4, 2000. It infected 10% of computers worldwide, with each harboring an average of 600 infected files.

Here are other notable attacks that though not as severely as the ones listed above, affected users from around the globe with their remarkable routines:

• Melissa Virus – The first mass-mailer (started in March 1999); shut down entire Internet mail systems clogged with infected emails
• MSBLAST – One of the more memorable network worms to take advantage of system vulnerabilities. It was first triggered around this time in the year 2003.
• SDBOT/AGOBOT – Pioneered modular IRC-based botnets; current IRC bots still use the same codebase; still alive today
• Web Toolkits – Collective term for commercial-grade software that aid cybercriminal activity; allegedly responsible for high-profile web compromises like the “Italian Job”
• ILOMO – Trojans arriving via Web-based exploits that stay active in memory even after the binary has been deleted from the system resulting to multiple, recurring reinfections (first appeared March 2009)

Each of the top threats were the most dangerous during their time and within their respective fields. Notably, all of them are attacks that gained momentum via the Internet.

The most dangerous is still likely the newest one to come out of the malware underground markets. In the majority there can only be better versions of already detected variants so users should be most involved in keeping their personal information safe from theft. Companies likewise should safeguard company information and assets with the same vigilance as a country at war.

These days the most likely way threats come in is the Internet. Thus we consider that the most obvious and effective way to stop them is to control/proof the URL being recalled by the browser or applications. For your safety we hope you already had switched on the Web Reputation Service in your Trend Micro product. In case you are still uncertain you may test it for free by using TrendProtect Toolbar with your Internet Explorer browser or install try our Web Protection Add-On which may work along with your existing security solution.