Eideard

Cyber criminals use Trojans to steal information, but are the same techniques of electronic surveillance being used by the agencies set up to protect us?

Internet crime “is no longer the elephant in the room. It is the room,” Sir Ian Andrews, chairman of the Serious Organised Crime Agency (SOCA), told this week’s London Conference on Cyberspace. The rapid increase in the cost of cyber-crime means police and governments are having to protect themselves from a threat that is often nearly impossible to trace. But the web has also become a vital space to gather evidence on suspects for traditional crimes…

There was controversy earlier this month when the German state of Bavaria admitted using a Trojan – a malicious program sent to a digital device covertly to collect data – to gather intelligence on suspected criminals. The R2D2 malware received criticism for it potentially allowing officials to launch software and capture images on the infected computer…

Ironically, the Trojan is not believed to have been sophisticated enough to beat antivirus software so would only be able to infiltrate unprotected computers – something unlikely amongst experienced computer users.

But there seems to be an emerging trend of governments going on the offensive…

In the UK, senior officials have not ruled out doing something similar. “In terms of the sensitivities around particular Trojans, it wouldn’t be something that we would particularly like to talk about,” says Lee Miles, head of cyber at the UK serious crime agency, SOCA.

Cybercrime expert Professor Peter Sommer, of the London School of Economics, believes that adding software remotely to a suspect’s computer would probably be illegal under current UK law. And the introduction of new powers for the police is something that is often picked over with a fine-toothed comb before its introduction is even proposed.

“We do need to exercise care embarking down this path [of using new techniques] because of the unintended consequences – it’s something that has to be considered very carefully,” says UK Minister for Crime and Security James Brokenshire.

Will police expand the use of malware to catch cyber-criminals? Short answer? I hope so.

We’ve already had instances of counter-measures fired back at zombie servers used by hackers. That can be turned to trojan techniques in any number of ways. But, then, if I have thought of doing this – someone in computer security is probably already doing it.

The FBI’s unprecedented effort to behead the Coreflood botnet — comprising millions of hacked Windows machines — appears to be working, at least for now. The bureau has tracked a dramatic decline in the number of pings from the botnet since the takedown operation began earlier this month…

The government’s efforts have “temporarily stopped Coreflood from running on infected computers in the United States,” writes the government in its filing, “and have stopped Coreflood from updating itself, thereby enabling anti-virus software vendors to release new virus signatures that can recognize the latest versions of Coreflood.”

The Justice Department asked the court to extend authorization for “Operation Adeona” for an additional 30 days, through May 25, so the feds can continue to temporarily disable the malware as it reports in from infected hosts. The court approved the request on Monday.

Interestingly, the new filing also hints that the government may soon formally seek court permission to take the next step, and actually instruct infected computers to permanently uninstall the malware. It would be the first time a government agency automatically removed code from Americans’ computers.

“The process has been successfully tested by the FBI on computers infected with Coreflood for testing purposes,” writes FBI Special Agent Briana Neumiller in a declaration to the court…

At the beginning of 2010, Coreflood encompassed more than 2 million infected machines worldwide, the majority of them in the U.S. Coreflood is malicious software used by its controllers to steal online banking credentials from a victim’s computer to loot their financial accounts. In one case, the criminals managed to initiate more than $900,000 in fraudulent wire transfers from the bank account of a defense contractor in Tennessee before they were discovered. An investment company in North Carolina lost more than $150,000 in fraudulent wire transfers.

The culture of embarrassment continues to overlay most successful uses of malicious software. The firms and individuals who have infected computers are loath to admit their carelessness and loss. Many banks don’t want these tales publicized for fear of losing accounts – even though banks are rarely penetrated.

And software companies selling defenses against such attacks usually end up sounding like a commercial for their own products – when discussing such attacks.

Booby-trapped adverts that hit visitors with fake security software have been discovered on the London Stock Exchange (LSE) website. Analysis of the LSE site suggests that over the last 90 days, about 363 pages had hosted malware.

The LSE said its site was now safe and an investigation showed that ads provided by a third party were the culprit…

Security expert Paul Mutton fell victim when he viewed the site on 27 February. He visited the LSE homepage to find out why some people reported that they could not access it.

The site was blocked by Firefox, he said, but accessible via Google’s Chrome browser. “It seemed to work with Chrome but then a few seconds later, without having to click on anything, pop-ups started to appear,” he said…

“I visited the site and it compromised my machine,” said Mr Mutton.

While he was fighting to regain control of his machine, the malware kicked off fake virus alerts in pop-up windows. One window was a fake security scanner which claimed it had detected lots of different malware on the PC.

Mr Mutton said his machine fell victim despite being updated with the latest batch of virus definitions earlier in the day…

Of the 1112 pages that Google scanned on the LSE site over the last 90 days, 363 were found to be hosting malware. The malicious code it found included scripting exploits and trojans.

The article rounds up with solutions and suspicions by security experts [meaning software vendors]. Which of course, don’t confirm a damned thing.

Causes may been ad servers, image servers, lots of ways the crud might have been made available to infect the computers of trusting subscribers. Not exactly the best job of self-policing, folks.

U.S. prosecutors have unveiled charges against more than 60 defendants allegedly involved in a global cybercrime scheme that used the Zeus Trojan and other Internet viruses to steal over $ 3 million dollars from U.S. bank accounts.

The scheme was engineered by unnamed hackers based in Eastern Europe who hijacked bank accounts…

“The mouse and the keyboard can be far more effective than the gun and the mask,” U.S. Attorney Preet Bharara told reporters.

Prosecutors described a complex “money mule” organization in which foreigners who entered the United States on student visas were recruited as “mules” to open bank accounts under fake names. The accounts were then used to receive and transfer the stolen funds, they said.

Federal prosecutors announced charges against 37 defendants, while Manhattan District Attorney prosecutors charged 36 people on top of 19 previously arrested. City and federal prosecutors said a number of those charged were not yet in custody.

London’s Metropolitan Police arrested 19 people on Tuesday in a possibly related case in which 6 million pounds were allegedly stolen from a number of unidentified major world banks.

There still is no patch for stupidity.

Fake anti-virus software that infect PCs with malicious code are a growing threat, according to a study by Google.

Its analysis of 240m web pages over 13 months showed that fake anti-virus programs accounted for 15% of all malicious software.

Scammers trick people into downloading programs by convincing them that their PC is infected with a virus. Once installed, the software may steal data or force people to make a payment to register the fake product.

“Surprisingly, many users fall victim to these attacks and pay to register the fake [anti-virus software],” the study said.

“To add insult to injury, fake anti-viruses often are bundled with other malware, which remains on a victim’s computer regardless of whether a payment is made…”

Mr Cluley said that people should be familiar with their own anti-virus software and should “always be suspicious” if they were confronted with a pop-up telling them you need to download something extra or spend money to clean up a computer.

“If you already have anti-virus installed you shouldn’t need to do that,” he said.

Or – if you’re using an advanced Unix-based operating system and/or have your brain switched on – you won’t click on the links that take you into the spider’s lair.

The people who brought the world malicious software that steals credit card numbers from your personal computer and empties bank ATMs of their cash are hiring, and they’re advertising online.

Two companies that are hiring — at least on a contractor basis — advertise online, said Kevin Stevens, a threat intelligence analyst for SecureWorks, who presented findings on the organizations at the Black Hat cybersecurity conference outside Washington on Monday.

What they are seeking is people who are willing to take malicious code they provide and link it to something that people will click on — like a picture of Britney Spears getting out of her car. These people then collect a fee for each 1,000 times that the malware is downloaded.

One site, for example, pays $180 for each 1,000 times that malware is downloaded onto a U.S. computer but less for computers elsewhere. It refuses to pay for any downloads to Russian computers, causing Stevens and others to strongly suspect that it, like other similar sites, are based in Russia.

“We pay your wages via the following systems: Fethard, WebMoney, Wire, e-gold, Western Union (WU), MoneyGram, Anelik and ePassporte, and PayPal,” the site said…

Cripes. What makes the sleazy entrepreneurs who sign for these contract jobs think they’re any less likely to be screwed – than the people they themselves are setting out to screw?

Visitors to technology blog Gizmodo are being warned that they could have picked up more than tips about the latest must-have gadget.

According to security firm Sophos, the website was delivering advertisements “laced with malware” last week.

A statement on the Gizmodo website admits that it was tricked into running Suzuki adverts which were in fact from hackers.

It follows a similar problem on the New York Times website. Last month the New York Times’ website was targeted by a gang of hackers who purchased ad space on the site by posing as internet telephone company, Vonage.

In both cases the adverts served up fake anti-virus software – known as scareware.

Scareware attempts to convince users that their computer is infected with viruses and trojans, and tricks them into downloading “remedies” which are harmful and can be used by criminals to get at information such as credit card details.

“What is particularly audacious about this plot is that the criminals appear to have posed as legitimate representatives of Suzuki in order to plant their dangerous code on Gizmodo’s popular website,” he added.

It’s called social engineering, folks. You know that.

Remember – there is no patch for stupid.

Microsoft claims third-party applications are now a bigger security threat than its own software.

The company was speaking following the launch of its latest Security Intelligence Report, an annual compilation of security trends and threats. Cliff Evans, security and privacy lead at Microsoft UK, says third-party developers are being increasingly targeted by malware writers. Only 5.5% of browser-based exploits target Microsoft software on Windows Vista machines, although that figure rises to 40.9% on Windows XP…

The report points the finger squarely at Adobe, which saw attacks on its PDF format rise sharply in the second half of 2008, according to Microsoft.

Microsoft’s claims the vast majority of attacks on its own software are exploiting unpatched applications: 80.3% of the successful attacks on Office 2003 were found on machines that were still using the RTM software, for example.

Has Microsoft considered enforcing security updates on users of its own products? “Someone like me might say yes,” said Ed Gibson, chief cyber security advisor at Microsoft UK. “The problem with that is how do we then work with major enterprise companies who have written specific applications for their particular needs and they feel they have to do testing on security updates. They wouldn’t want to have those updates forced on them.”

Gibson admits the malware writers are blatantly ripping off the look and feel of Microsoft and third-party security products to give their malware an air of authenticity. “They’ve definitely become cleverer in terms of their approach,” he said. The fake software is largely emanating from Western countries such as the US and Spain. “Organised crime is using that [virus attacks] as a scare tactic to give you pop-ups that look legitimate,” he warned.

He said the company was working with law enforcement agencies to hunt down the perpetrators.

As much as I agree with all of the OS producers about unpatched 3rd-party software – and just plain buggy, uncertified 3rd-party software – Apple and Ubuntu and others have proved their OS can have security regeimens built-in that are robust and sufficient for the average user.