The recent rise of mobile computing is further signaling the need for users to have good reliable mobile browsers such as Opera Mini installed in their smartphones or in any mobile device. We believe that this is why cybercriminals are currently using Opera Mobile as a mobile malware disguise.

We encountered a website that seems to have been designed to be viewed on a mobile device. The site, which is in Russian, looks like the Opera site. It immediately informs visitors that they need to upgrade their versions of Opera Mini.

Read the rest of this entry »

In the past we reported a couple of attacks involving malware that turn infected systems into Bitcoin miners. We also said that cybercriminals will increasingly do so in the future. We recently encountered another familiar and well-known malware family—TDL4—that turns infected systems into Bitcoin miners.

TDL4 is a well-known TDSS variant that evades antivirus detection by infecting systems’ boot sector. We have since been monitoring TDSS-related developments. Earlier this year, we saw TDL4 exhibit propagation routines through a worm component that Trend Micro detects as WORM_OTORUN.ASH.

In the course of our research, we found that recent variants of WORM_OTORUN.ASH contain code that attempts to participate in a Bitcoin pool known as Deepbit.

Figure 1 shows some parameters that include getwork, which gets a job from the mining pool. A job is a Bitcoin block header which the miner, in this case the infected system, hashes in order to earn a Bitcoin share. In Bitcoin pools, users sign up and join a network of miners to work on the same jobs for faster payout.

Read the rest of this entry »

We recently found an interesting post in a Russian underground forum in the course of our research. People exchange information about their illegal activities in these kinds of forum. We found a user in the forum with the handle “sourcec0de” and ICQ number 291149 who currently offers root access to some of the cluster servers of MySQL.com and its subdomains.

The screenshot above shows that the seller appears to have a shell console window with root access to these servers. The price for each access starts at US$3,000 with the exchange of money/access being provided by the well-known garant/escrow system for which a trusted third party verifies both sides of a transaction.

In our previous underground research, we also saw sourcec0de sell stolen PayPal account credentials and discussing the management of botnet command-and-control (C&C) servers.

We contacted MySQL.com about this issue last week. We are making this public to stress the fact that hackers do not only profit from selling stolen data or by inserting bad links into spam or phishing email, websites, and other possible infection vectors.

This case, regardless of whether sourcec0de’s claim is true or not, shows just how brazen cybercriminals are, selling administrative access to specific systems, which can be negatively impacted by their break-ins.

I’ve read lately about the launch of Google Wallet and how it may revolutionize how we make payments. Instant payments by putting the phone near a terminal and by keying in my PIN? Sounds good. As exciting as it may be to try out new technologies, if it has to do with my wallet though, I think things through twice or more.

Things to Consider

First off, you need to have an Android phone. Android, while a beautiful piece of software, is the most attacked mobile software in the planet. It’s the most used one now that it has surpassed its main competitor (Apple) and there are no signs of it slowing down. I don’t mean to say that anything running on Android is bad or risky but just keep the “most attacked” angle in mind for now.

Second, it uses NFC, a technology not very unlike RFID. That’s the information-emitting little chip you put on your dog so the vet can easily identify him. It’s also the little chip on your passport broadcasting your data and the one that your credit card uses (if you have a U.S. credit card, that is). It’s a technology that, while extremely useful, provides a very juicy target for the bad guys. A bad guy with a big antenna pointed at my dog can read her ID number from afar. Okay, that’s not the worst scenario I can picture.

Read the rest of this entry »

Determining who is ultimately behind targeted attacks is difficult. It requires a combination of technical and contextual analysis as well as the ability to connect disparate pieces of information together over a period of time. Moreover, any one researcher typically does not necessarily have all of these pieces of information and must interpret the available evidence. Too often, attribution is solely based on easily spoofed evidence such as IP addresses and domain name registrations.

This post is a follow-up to the post we published yesterday. It presents some background information on the LURID attacks and on their relationship with previous Enfal attacks in order to provide some context to this case.

Interestingly, while previous Enfal attacks have been attributed to China, in this case, the IP addresses of the command-and-control (C&C) servers were located in the United States and in the United Kingdom. However, the registration information of the domain names used indicates that their owners are from China. In either case, this information is not difficult to manipulate. Neither of these two artifacts taken on their own is sufficient to determine attribution.

The History of Enfal

The history of this malware combined with the nature of some of its target victims do provide some clues. The malware used in the “Lurid Downloader” attacks is commonly known as Enfal and has been used in targeted attacks as far back as 2006. In 2008, Maarten Van Horenbeeck documented a series of targeted malware attacks that made use the Enfal Trojan to target government organizations, nongovernmental organizations (NGOs), as well as defense contractors and U.S. government employees.

In 2009 and 2010, researchers from the University of Toronto published reports on two cyber espionage networks known as GhostNet and ShadowNet, which included malware and C&C infrastructure connected to the Enfal Trojan. In addition, the domain names Enfal used as C&C servers are, according to U.S. diplomatic cables and leaked to WikiLeaks, linked to a series of attacks known as “Byzantine Hades.” According to these leaked cables, this set of threat actors has been active since 2002 and has activity subsets known as Byzantine Anchor, Byzantine Candor, and Byzantine Foothold.

Notably, other than the use of Enfal itself, there appears to be several distinct sets of C&C infrastructure in use and the relationship among those operating these separate infrastructure remains unclear.

Read the rest of this entry »