For about two weeks now, the ZeuS source code has been making its way around to different people. Many people have been offering it up for sale on multiple forums, but lots of times it is only pieces of the code and not everything. There are also conflicting reports about important pieces of the code missing, not allowing it to work, or that everything is there except the modules that can be added in.

This has taken a recent turn however, due to the fact that source code was reportedly uploaded to a file sharing site and then the link was posted to a malware forum.

The catch is that the uploaded file is a .RAR file, and is password protected. You can look through the .RAR file and check that everything is there for the source code but you can’t actually look at the contents of the files due to the password protection. Multiple people are taking a crack at trying to bruteforce the password for the .RAR file, but so far no one that I know of has been able to crack it. There are even reports that some people in law enforcement are looking at it.

Read the rest of this entry »

We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

More URLs Involved

Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

• {BLOCKED}of-books.com/ur.php
• {BLOCKED}ane.com/ur.php
• {BLOCKED}carter.com/ur.php
• {BLOCKED}on.com/ur.php
• {BLOCKED}6.info/ur.php

New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED}on.com/ur.php already modified to connect to {BLOCKED}s.com/ur.php. The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

Read the rest of this entry »

In February 2011, we successfully collaborated with CDMON, a registrar, to gain control of a ZeuS botnet command-and-control (C&C) server, thereby rendering it ineffective. Our success gave us the opportunity to capture valuable research information about the bot (compromised computer) types under its control.

ZeuS is a notorious crimeware toolkit that is prolifically used by cybercriminals to instigate monetary and online banking information theft.

ZeuS does not, however, refer to a single botnet. Instead, it refers to a collection of botnets created and controlled by multiple cybercriminals using variations of the same toolkit and malware family—ZeuS.

The information we collected will help us in our mission to better protect users while providing valuable insights into the types of information cybercriminals steal.

Read the rest of this entry »

Malware attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace.  Prior to the highly publicized Aurora attack on Google and at least 20 other companies, targeted malware attacks have been taking place and continue to affect government, military, corporate, educational, and civil society networks. While such attacks against the U.S. government and related networks are well-known, other governments and an increasing number of companies are facing similar threats.

Earlier this year, the Canadian, South Korean, and French governments have all experienced serious security breaches into sensitive networks. Recently, the European Commission and the External Action Service were also compromised. There have also been acknowledged security breaches at security firms RSA and Comodo, which at least in the case of RSA, appear to be the result of targeted malware attacks.

Technically sophisticated or simply well executed?

Such attacks are almost always described as sophisticated or targeted, adjectives which have basically become synonymous with successful. The statements issued after breaches often suggest that attackers knew exactly what to exploit and, in some cases, exactly what they were looking for. It is difficult to assess such claims solely based on the murky details that publicly emerge. Therefore, I am not suggesting that such characterizations are necessarily incorrect. Rather, I am suggesting that the level of targeting and sophistication are results of prior knowledge gained by the attackers and not necessarily caused by some technical brilliance with regard to the tools and methods used.

Read the rest of this entry »

The recent tragedy that affected Japan is not the first incident that cybercriminals leveraged. Cybercriminals have established early on just how low they would go just to steal money from users—Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and recently the Haiti Earthquake in 2010 were all used one way or another as social engineering bait.

From a technical perspective, it is disheartening how closely cybercriminals monitored the entire incident just to take advantage of not only the event itself but also the ones that happened afterward. Let’s trace the events, along with the threats we found leveraging them.

Information Demand Met with Attacks

The earthquake happened on March 11, 2011 and, almost immediately, most of the world was aware of the incident and constantly sought out more information on Japan’s status.

The sudden and fast increasing demand for information on the earthquake was met with blackhat SEO attacks wherein cybercriminals rigged search results for strings related to the incident and led users to malicious sites.

Unsurprisingly, social networks were also filled with inquiries, footage, bits of information on the tragic event, and, of course, posts set up to look like footage and information but actually led to malicious sites and files.

A few hours after, the tsunami that was triggered by the earthquake hit the coasts of Aomori, Iwae, Miyagi, and Fukushima, causing more damage to the affected areas. Many people from Japan who managed to get themselves in safer ground by the time the tsunami struck were able to take videos showing how the waves destroyed the infrastructure located near coastal lines.

The cybercriminals again quickly took action to leverage the event and deployed attacks in social networks such as Facebook. Posts that posed as footages of the tsunami were seen all over the network and led to other malicious pages.

Read the rest of this entry »