📱malware scans: threat

Showing posts with label threat. Show all posts

Monday, October 30, 2017

A Hacker's Tool Kit - Cybercrime is growing ever more pervasive—and costly.

2:51 PM

Cybercrime is growing ever more pervasive—and costly. According to researcher Cybersecurity Ventures, the annual cost of cybercrime globally will rise from $3 trillion in 2015 to $6 trillion in 2021. Enabling this boom are thriving marketplaces online, where hackers sell tools and services to criminals. Virtually anything is available for the right price, points out Andrei Barysevich, director of advanced collection (“a fancy name for ‘spy,’ ” he says) at threat intelligence firm Recorded Future. A former consultant for the FBI’s cybercrime team in New York, Barysevich trawled the shadiest corners of the web to compile the cybercrime shopping list above, exclusively for Fortune. In the market for some basic malware? It’ll cost you as little as $1.

Graphic shows prices of cybercrime events

Read more »

Tuesday, December 6, 2016

Check if you were hit by the massive 'Avalanche' cybercrime ring

11:59 AM

SAN FRANCISCO — The U.S. government has posted links for free scanning programs so companies and individuals can check their computers to make sure they weren't victims of a massive, international cyber criminal operation that was taken down Thursday after a four-year investigation.

“This is probably the biggest operation that law enforcement has ever done against cyber crime,” said Catalin Cosoi, chief security strategist with BitDefender, one of the dozens of companies worldwide that worked with law enforcement to attack the group.

The U.S. Computer Emergency Readiness Team (US_CERT) has posted links to five scanners on its site. Europol has also posted a list of sites in multiple languages for potentially infected users. The malware only affects systems running the Microsoft Windows operating system, according to US-CERT.

The Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which includes US-CERT, will be providing victim notification to stakeholders, including Internet Service Providers, DHS said in a statement.

Known as "Avalanche," the group had been active since 2009, according to the FBI and Europol, the European law enforcement agency. It was effectively a criminal company that sold and rented cloud-hosted software to other criminals who used it to take over systems, infect networks, launch ransomware or create enormous robot networks (botnets) to send spam.

Avalanche networks were also used to launch targeted attacks against banks and to recruit people to illegally transfer stolen money between countries, known as money mules.

"They sent more than one million e-mails with damaging attachments or links every week to unsuspecting victims," and involved as many as 500,000 infected computers worldwide on a daily basis, Europol said in a release.

“They would do whatever you wanted. You just had to call them, say ‘I need command and control service,’ or ‘I need to infect this type of people or this type of business,’ and they’d do it,” said Cosoi.

The investigation originally began in Germany in 2012 after prosecutors there detected a ransomware operation that blocked access to a substantial number of computer systems and allowed the criminals to do bank transfers from the victims' accounts.

As authorities became aware of the scope and reach of the criminal organization, the effort to shut it down ended up involving prosecutors and investigators in 30 countries.

Law enforcement takedown

On Wednesday, law enforcement launched a concerted action against the Avalanche group. It resulted in five arrests, the search of 37 premises and seizure of 39 servers. In addition, over 800,000 Internet domains, or addresses, were seized to block the criminals access to their customers.

Now that the operation has been taken down, the next crucial stage is for infected individuals and companies to check to make sure that their computers do not have Avalanche malware on them.

“Companies and consumers should take this opportunity to scan their systems for the different families of malware that the Avalanche botnet distributed,” said ESET senior security researcher, Stephen Cobb.

Multiple companies worldwide have written tools to run this scan.

As Europol said on its website, "computer users should note that this law enforcement action will NOT clean malware off any infected computers — it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control."

While the effort was hailed in the cyber security world as a major coup against cyber crime, the differential between how fast international cybercrime networks proliferate and how quickly international law enforcement can act is troubling.

“It does give some reason for concern that our anti-cybercrime efforts still can't match the speed and dexterity that cyber criminals use for their own efforts," said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.

Unfortunately, while he believes that dismantling the Avalanche network will certainly show some short-term gains, he expects the cyber criminals will be "back up and running in short order.”

Read more »

Wednesday, November 30, 2016

‘AVALANCHE’ NETWORK DISMANTLED IN INTERNATIONAL CYBER OPERATION

11:56 AM

On 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Lüneburg Police (Germany) in close cooperation with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Europol, Eurojust and global partners, dismantled an international criminal infrastructure platform known as ‘Avalanche’.

The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated cyberattacks on online banking systems in Germany alone. In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.
The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing[1] to combat botnet[2] infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked.

On the action day, Europol hosted a command post at its headquarters in The Hague. From there, representatives of the involved countries worked together with Europol’s European Cybercrime Centre (EC3) and Eurojust officials to ensure the success of such a large-scale operation.

In addition Europol supported the German authorities throughout the entire investigation by assisting with the identification of the suspects and the exchange of information with other law enforcement authorities. Europol’s cybercrime experts produced and delivered analytical products.

Eurojust’s Seconded National Expert for Cybercrime assisted by clarifying difficult legal issues that arose during the course of the investigation. Several operational and coordination meetings were also held at both Europol and Eurojust.

Julian King, European Commissioner for the Security Union, said: "Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders. Cybersecurity and law enforcement authorities need to work hand in hand with the private sector to tackle continuously evolving criminal methods. The EU helps by ensuring that the right legal frameworks are in place to enable such cooperation on a daily basis".

Rob Wainwright, Europol Director, said: “Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime. The complex trans-national nature of cyber investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens”.

Michèle Coninsx, President of Eurojust, said: “Today marks a significant moment in the fight against serious organised cybercrime, and exemplifies the practical and strategic importance of Eurojust in fostering international cooperation. Together with the German and US authorities, our EU and international partners, and with support from Eurojust and EC3, Avalanche, one of the world’s largest and most malicious botnet infrastructures, has been decisively neutralised in one of the biggest takedowns to date.”

The criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing and spam activities. They sent more than 1 million e-mails with damaging attachments or links every week to unsuspecting victims.

The investigations commenced in 2012 in Germany, after an encryption ransomware[3] (the so-called Windows Encryption Trojan), infected a substantial number of computer systems, blocking users’ access. Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and e-mail passwords.

With this information, the criminals were able to perform bank transfers from the victims’ accounts. The proceeds were then redirected to the criminals through a similar double fast flux[4]infrastructure, which was specifically created to secure the proceeds of the criminal activity.

The loss of some of the network’s components was avoided with the help of its sophisticated infrastructure, by redistributing the tasks of disrupted components to still-active computer servers. The Avalanche network was estimated to involve as many as 500,000 infected computers worldwide on a daily basis.

What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

Malware campaigns that were distributed through this network include around 20 different malware families such as goznym, marcher, matsnu, urlzone, xswkit, and pandabanker. The money mule schemes operating over Avalanche involved highly organised networks of “mules” that purchased goods with stolen funds, enabling cyber-criminals to launder the money they acquired through the malware attacks or other illegal means.

In preparation for this joint action, the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130 TB of captured data and identified the server structure of the botnet, allowing for the shut-down of thousands of servers and, effectively, the collapse of the entire criminal network.

The successful takedown of this server infrastructure was supported by INTERPOL, the Shadowserver Foundation, Registrar of Last Resort, ICANN and domain registries involved in the takedown phase. INTERPOL has also facilitated the cooperation with domain registries. Several antivirus partners provided support concerning victim remediation.

Computer users should note that this law enforcement action will NOT clean malware off any infected computers – it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control.

Victims of malware operating over the Avalanche network may use the following webpages created for assistance in removing the malware:

The Shadowserver Foundation have supported this operation and will be making the sinkhole data available globally to responsible bodies via their free daily remediation feeds. More information can be found in their blog article.

[1] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected computers can no longer reach the criminal command and control computer systems and so criminals can no longer control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can subsequently be used for notification and follow-up through dissemination to National CERTs and Network Owners.

[2] Botnets are networks of computers infected with malware, which are under the control of a cybercriminal. Botnets allow criminals to harvest sensitive information from infected computers, such as online banking credentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other computer systems, such as denial-of-service attacks.

[3] Ransomware is a type of malware that infects the victim’s PC and encrypts the victim’s files, so that the victim is unable to access them. The criminal behind the ransomware then uses intimidation and misinformation to force the victim to pay a sum of money in exchange for the password that unlocks the encrypted files. Even if a password is eventually provided, it does not always work.

[4] Fast flux technique is an evasion technique used by botnet operators to quickly move a fully qualified domain name (a domain that points to one specific Internet resource such as www. domain .com) from one or more computers connected to the Internet to a different set of computers. Its aim is to delay or evade the detection of criminal infrastructure. In the double fast flux setup, both the domain location and the name server queried for this location are changed.

Read more »

Thursday, April 9, 2015

Facts About Remote Access Trojans (RATs) vs AlienSpy

11:52 AM

AlienSpy is the latest in a family of RATs which target both consumers and enterprises in a bid to steal valuable data and compromise systems.

Remote Access Trojans (RATs) never fully vanish; instead, they are often recycled and redeveloped in the changing cybersecurity landscape. These kinds of Trojans, often deployed through phishing campaigns which use spoof emails and malicious files to deliver malware payloads, can be tailored to target particular industries -- such as banking or manufacturing -- or be used indiscriminately against both consumers and businesses.

In a security advisory (.PDF) posted Thursday, security firm Fidelis said the newly-discovered AlienSpy Trojan is currently being used in international phishing campaigns against both consumers and the enterprise, although generally has been detected in campaigns based in the technology, finance, government and energy sectors.

Joining the likes of njRAT, njWorm and Houdini, the RAT's development focuses on delivery rather than core functions. However, AlienSpy does differ from its predecessors. While also similar to Frutas, Adwind and Unrecom, the security firm believes the new RAT has benefited from "unified," collaborative development. As a result, the Trojan is more sophisticated and has expanded functionality.

AlienSpy currently supports infections on Windows, Linux, Mac OSX and the Android mobile operating system. However, the Trojan also demonstrates new evasion techniques not present in past RATs.

Once deployed, the Java-based Trojan grants an attacker access and control over a compromised system. The malware is able to collect system information including OS version, RAM data and computer name, upload and deploy additional malware packages, capture webcam and microphone streams without consent, and remotely watch device activity. In addition, the Trojan includes a keylogger.

AlienSpy's additional features include a sandbox detection tool, the detection and disabling of antivirus software, and the use of Transport Layer Security (TLS) cryptographic protocols to secure its connection to the command and control (C&C) server.

"Applying this technique makes it very difficult for network defenders to detect the malicious activity from infected nodes in the enterprise. To prevent various security tools from running, this version of AlienSpy performs various registry key changes," the advisory notes. "Infected systems could end up with botnet malware downloaded through AlienSpy RAT (e.g. Citadel) as it was observed by our security researchers during one of the infections."

In the same manner as its predecessors, AlienSpy is available through various subscription models and receives continual updates from its developers. According to Fidelis, AlienSpy can be purchased for between $19.90 and $219.99.

"Enterprises should ensure that they are capable of detecting inbound malware as well as active infections involving this RAT," Fidelis says.

The security firm has also published a Yara rule to help developers identify and classify the AlienSpy malware strain.

via ZDNet

Read more »

Monday, June 27, 2011

Top 5 threat protection best practices

3:32 PM

1. Control outbound content as well as inbound.

Data loss can be accidental or malicious. Human error, carelessness, or a lack of data security can lead to data loss, such as sending an e-mail attachment containing personally identifiable information (PII) to an unauthorized recipient. Most companies’ firewalls are set up to block incoming traffic, but data is sent off network on common ports like IRC, SMTP, and HTTP.

2. To protect against malware, block access to Web ports and scan traffic.

With one new Web page infected every 4.5 seconds, the Web is now the number one vector of attack for cybercriminals. Taking advantage of Web infrastructure vulnerabilities, attackers covertly inject malicious code into legitimate Web sites. This Web-based malware then uses social engineering tactics or browser vulnerabilities to infect visitors with the intention of stealing confidential data, installing more malicious code, or silently recruiting the host system into a botnet.

3. Educate users about the dangers and safe use of social networking Web sites.

Social networking sites like Facebook and Twitter have become popular playgrounds for attackers who recognize users’ tendency to instill a higher level of trust in the sites themselves and to share too much personal information. As a result, malware and data theft are presenting serious problems to their users. In fact, there was a 70% rise in proportion of firms that report encountering spam and malware attacks via social networks during 2009. Spam is also common on social networking sites, and social engineering is on the rise.

4. Encrypt sensitive data in use, at rest, and in motion.

Encryption is an integral technology to protect your organization’s sensitive data. If a threat bypasses your antivirus, firewall, or other controls, PII (Personally Identifiable Information) is vulnerable. But if data that is encrypted before it’s placed on removable media or sent by e-mail falls into the wrong hands, it is unreadable.

5. Restrict use of removable storage devices.

An organization’s vulnerabilities are exacerbated by the unchecked ability to launch unauthorized software from removable storage devices like USB keys, CDs, and DVDs. Unauthorized applications can introduce vulnerabilities to the network, and malware, like the Conficker worm, is becoming a major issue as these devices can serve as vehicles for distribution. Data can also be easily taken outside of an organization on these devices, and many recent high-profile incidents confirm how easily they can be lost.