Security research firm M86 Security (no relation) has posted a whitepaper outlining how cyber-criminals started utilizing the Zeus v3 trojan in conjunction with the Eleonore, Phoenix, and Siberia Exploit Kits to siphon £675,000 (~$1.05 million USD) so far from UK victims’ systems that have been compromised. The attack started on July 5th and has continued silently ever since. The main reason why the theft hasn’t been successfully mitigated thus far is because of the Zeus trojan’s extreme difficulty to detect by antivirus solutions. The Zeus trojan, also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber is sold as a kit to people willing to pay a price for the latest code known as Zeus v3. It primarily infects a machine through exploiting un-patched versions of Internet Explorer to gain control.
The Zeus trojan has been known to steal user data in the past, but has never been used in such a direct manner. In the US, there are believed to be 3.6 million infected machines by the malware alone, which makes it arguably one of the world’s most dangerous trojans/botnets in terms of potential damage. The Daily Mail has a good article outlining the exact details.
M86 Security Whitepaper (PDF)
At last writing, the Microsoft LNK vulnerability that was originally used to target SCADA systems by the Stuxnet worm in Iran, India, and Indonesia was slowly gaining speed and the exploit had a proof-of-concept in the open. Now it is accelerating. It is now being picked up by old virus/worm/malware families and incorporated into their arsenals to take new victims; some using social engineering, some using their own unique tactics. While the exploit method itself hasn’t changed, the exploiters using it are vigorously churning out new versions of their software. I think it’s safe to say Madagascar will be closing its ports soon. (Warning: addictive)
New detected malwares are Chymine, Vobfus, Sality, Zeus, and most recently, Downloader-CJX
It seems the makers of the all-too-familiar-now rogue AV are now targeting the more web-saavy of users; those who use Mozilla Firefox.
Recent versions of Firefox have been taking a more proactive approach to keeping Adobe Flash secure by checking the version of Flash installed and informing users that they need to upgrade Flash to a newer version if it is outdated. Simple enough. Perhaps too simple.
Now the makers of the familiar fake Windows Security Alert con and the bogus Anti-Virus malware have begun to craft webpages that look identical to the page that appears after users have started a freshly-upgraded version of Firefox, except they now have to upgrade Adobe Flash. It doesn’t require the user to click on a download link; it tries to start a download immediately upon page load.
Naturally users will download the legitimate looking executable and run it upon completion. In all, it is a very convincing tactic with a pretty flawlessly executed plan besides the URL being not that of a Mozilla Firefox owned domain. Of course, it isn’t a newer version of Flash. It’s the good ‘ol rogue AV that has been creeping into every corner of the web by any means possible, doing all the nasty things it always does. Security vendors are already aware of the threat and rolling out definition updates to detect and thwart this attack.
“Be careful when you fight the monsters, lest you become one.” -Friedrich Nietzsche
The developers of popular Mozilla extension AdBlock Plus had been receiving bug reports of “issues” with another popular extension, NoScript, after an update was issued by the developer of the script-blocking software. The AdBlock Plus developers decided to take a look into what was wrong and found something extremely disturbing. The 1.9.2 update of NoScript had incorporated an obfuscated piece of code that actually made changes to AdBlock Plus to allow for ads on the NoScipt and related sites to be shown. In otherwords, it does what a viruses and other malware does to antivirus software only in reverse; instead of blocking access to update sites, it forced AdBlock Plus to allow ads to be shown for the developer’s site explicitly. This most likely would have flown under the radar had it not completely broken Adblock Plus and get caught doing unethical things to other software for self-interest. The issue snowballed when the issue made it to Reddit and caused an outrage amongst faithful users of both extensions. To make things worse, the developer only slightly backtracked; allowing the user to allow or disallow the code modification upon installation of NoScript. The developer eventually removed the code completely in version 1.9.2.6, but not without severely impacting user opinion of the software and spurring discussion of a policy change regarding Mozilla Extensions.
More after the jump.
