Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Loucif Kharouni (Senior Threat Researcher)




    knowyourenemies2We recently wrote about the difference between cybercrime and a cyber war, which narrows down to the attack’s intent. With the same intent of gaining information to use against targets, cybercriminals and attackers tend to stress less importance in their choice of “tools”, as these campaigns are all about who carries out the attack. Ultimately, a simple equation can be drawn from these observations, in which a highly successful attack is composed of the attack’s intent and the right tools.

    Our newest research paper Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime sheds more light on reasons why cybercriminals adopt certain targeted attack methodologies. The paper discusses two case studies that show how cybercriminals continuously learn to make the most of these attack methodologies in “traditional” cybercrime for better financial gain. For cybercriminals, the more financial gain they get, the better it is.

    Case studies: “Arablab” and “Resume.doc”

    The “arablab” case study deals with an attack exploiting the CVE-2010-3333 vulnerability using a maliciously crafted document. Using our gathered information, we believe the perpetrator named “arablab” may be residing in the United States and may have been part of a gang known for launching  419 scams.

    The second case study, “Resume.doc”, shows how cybercriminals used specially crafted documents that executed malicious macros, an infection method that is far from advanced but works to the cybercriminals’ advantage. The majority of the victims who accessed the (then) compromised site related to this attack were mostly from the United States, Canada, and Great Britain.

    As targeted attack methodologies have not changed much over the years, an onslaught of targeted attacks confirm that the similar threats are becoming more prevalent. With that, we recognize that these methodologies are just as effective as they are prevalent. In the end, we can conclude that an attacker’s goals and game plans are based on, simply put, whatever works.

    Read the full paper here: Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime.

     
    Posted in Malware, Targeted Attacks | Comments Off


    Jan29
    1:19 am (UTC-7)   |    by

    Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye.

    Trend Micro was a key part of this investigation and has been working with the FBI on this case for quite some time. In particular, information provided by Trend Micro (such as the online “handles” and accounts used) was used to help find the real identities of Panin and his accomplices. It took considerable effort for all parties involved to bring this investigation to a successful conclusion.

    Our investigation

    One of Panin’s accomplices was Hamza Bendelladj, who went by the alias bx1. Both Panin and Bendelladj were involved in creating and setting up various SpyEye domains and servers, which was how we were able to obtain information on the pair. While SpyEye was created in such a way that few of these files were publicly available, we were still able to obtain these and acquire the information in these files, which included (for example) the email address of a server’s controller.

    We correlated the information obtained from these configuration files with information we had gathered elsewhere. For example, we infiltrated various underground forums where both Panin and Bendelladj were known to visit. Just by reading their posts, they would inadvertently disclose information like their email address, ICQ number, or Jabber number – all information that might reveal their actual identities.

    For example, we discovered the C&C server lloydstsb.bz, as well as the associated SpyEye binaries and configuration files. The decrypted configuration files included the handle bx1. A configuration file on that server also contained the email address. A second configuration file – also using the bx1 name – was found which contained login credentials for virtest, a detection-testing service used by cybercriminals.

    spyeye1_1 spyeye2_2

    Figure 1. Configuration files

    The following post in an underground forum shows that Bendelladj’s involvement in SpyEye was more in-depth than he claimed in public:

    Figure 2. Underground forum post

    This graph shows the some of the relationships among various websites, email addresses, and malware used by Bendelladj:

    (Click above to enlarge)

    Figure 3. Diagram showing the relationships among related websites, email addresses, and malware

    Investigating Gribodemon

    We carried out the same kind of investigation to look into Panin. As with his partner in crime, we found that Panin was linked to various domain names and email addresses.

    While Panin believed that he was very good at hiding his tracks, it’s now obvious that he wasn’t as good as he thought he was. Around the time he was selling SpyEye, he also became very sloppy and not particularly careful; despite using multiple handles and email addresses, Trend Micro, working together with the FBI, found his real identity.

    Panin started selling SpyEye in 2009, and it quickly became a well-regarded competitor to the more well-known ZeuS. At the time, it was popular due to its lower cost and the ability to add custom plug-ins, something ZeuS didn’t offer. In late 2010, in two posts, we took a very good look at SpyEye’s control panels.

    Some cybercriminals were not particularly fond of SpyEye due to its poor coding compared with ZeuS, while others liked the features that SpyEye brought to the table. Whatever the case, SpyEye was well-known enough in the cybercrime community that when ZeuS creator Slavik left, he gave the code to Panin.

    Panin used this code to create a new version of SpyEye which combined features of both the older versions of SpyEye and ZeuS. In addition, he outsourced some of the coding to his accomplices (like Bendelladj) in order to improve SpyEye’s quality. Later versions showed significant changes to the underlying code, including reusing code from ZeuS.

    This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.

     
    Posted in Malware | Comments Off



    Several months ago, we found that several Ice IX servers were hosted in the .co.za (South Africa) top-level domain. Our research revealed that these servers were all tied to a group of individuals located in Nigeria.

    To recap, Ice IX is a popular banking Trojan that was heavily used by these criminals, together with the better-known ZeuS malware. These types of threats are known for stealing the login credentials of users to banks, email addresses, and social networks.

    On some of the servers, there was an infected machine located in Nigeria that the cybercriminals seemed to be using as a proxy to connect to their Ice IX and ZeuS control panels:

    Figure 1. Infected machine used as proxy

    These cybercriminals are also engaged in other online crimes, such as setting up phishing websites for banks and social media, as well as operating classic Nigerian 419 scams. In order to send the spam messages necessary to carry out these attacks, they also hacked into legitimate servers and installed a PHP mailer.

    We identified three individuals as part of the group responsible for these crimes, and they are all located in Lagos, the commercial capital of Nigeria. We believe that they are all part of a larger organization that goes beyond Nigeria. This highlights how African cybercrime is growing and how the region may become a major player in a near future.

    More details about this syndicate may be found in our paper “Ice 419″.

     
    Posted in Malware | Comments Off



    This new year, expect crimeware like toolkits and exploit kits to be improved and continue their money-making streak.

    As profit remains the main driver of these threats, cybercriminals will continue to implement new features to increase profit and new countermeasures to protect their investment by keeping security researchers in the dark. So far, the following notorious crimeware underwent some noteworthy changes.

    ZeuS. Though last updated around more than 2 years ago, ZeuS remains popular among cybecriminals due to its reliability. Because it was coded well, cybercriminals continue to earn money from this toolkit and evade law enforcement.

    Spyeye. Initially deemed as ZeuS’ rival, SpyEye’s creator Gribodemon offered the toolkit as an alternative while providing support to existing ZeuS customers. Since its debut in 2009, it underwent several improvements until its creator disappeared sometime in 2010.

    Citadel and Ice IX. Both are considered by-products of ZeuS, however each of these toolkits present certain improvements. Citadel contains more user-friendly control panel, while Ice IX is supposedly protected against trackers.

    Blackhole exploit kits. Known to distribute malware by exploiting known software vulnerabilities, the stealthier version of Blackhole Exploit Kit was recently released. To avoid detection, its creator Paunch does not directly provide the kit, but instead installed in a web server somewhere that is connected to a database for logging and reporting.

    Read the rest of this entry »

     
    Posted in Malware | Comments Off



    We’ve been hearing much about how Africa is rapidly catching up with the rest of the world in terms of the Internet. More and more Africa-based users are now connecting to the Internet, giving them a great resource for information and an easier means for communication. Unfortunately, as more users in Africa become connected to the Internet, they become just as susceptible as the rest of the world to online threats.

    In our recently released forecasts for 2013, Raimund mentioned how Africa will become the new haven for cybercriminals. I have done some research on Africa (which I will release soon), and I very much agree with that forecast. Here are three reasons why:

    1. Great Internet availability and fast connections
      The Internet infrastructure in Africa, supported by undersea cables, is very well developed. As of now, the different ISPs in Africa are able to offer a variety of connection to their customers such as 3G, 4G LTE, dial-up, DSL, fiber and even satellite connection. The availability of such a resource as stable and fast Internet connectivity will surely be considered valuable by cybercriminals.
    2. Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice