The cyber ring used a class of malware called DNSChanger to infect approximately 4 million computers in more than 100 countries.

DNS (Domain Name System) is a critical internet service that converts user-friendly domain names into numerical addresses that allow computers to talk to each other.

The FBI raided two datacentres in New York City and Chicago which had a command and control infrastructure comprising over 100 servers. At the same time the Estonian police arrested six suspected cyber criminals in Estonia. The US is seeking to extradite them.

“They were organised and operating as a traditional business but profiting illegally as the result of the malware,” said an FBI agent who worked the case. “There was a level of complexity here that we haven’t seen before.”

The cyber crime group controlled every step, from infection with Trojans to monetising the infected bots. The cyber ring was an Estonian company called Rove Digital, according to network and antivirus company Trend Micro, which had been monitoring the botnet since 2007.

In conjunction with the arrests, US authorities seized computers and rogue DNS servers at various locations. As part of a federal court order, the rogue DNS servers have been replaced with legitimate servers in the hope that users who were infected will not have their internet access disrupted, said the FBI.

Source: Computer Weekly

New research has shown how common spelling or punctuation mistakes may make it easier for cyber criminals to steal email containing sensitive information.

Researchers Peter Kim and Garrett Gee from the cyber security outfit Godai Group created doppelganger Web domains of some high-profile companies to test this theory. To everyone’s horror, they managed to gather as much as 20 GB of sensitive information belonging to these companies.

A doppelganger domain is a web domain that looks just like its legitimate counterpart, but with a minor spelling or punctuation error.

And even worse, the companies whose data were intercepted by the two researchers were all Fortune 500 companies.

Apparently, the loophole exploited by the researchers is based on methodology known as “typosquatting” which is used by many hackers. This technique could be devastating when deployed against businesses instead of individuals.

“Doppelganger domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information,” wrote the researchers in a paper detailing their work, as reported by BBC News.

Source: Erica Thinesen

This scam has two sets of victims, the companies that are being stolen from and the innocent people being used to do the dirty work. Most are recruited via phony “Work from Home” ads. Scammers prey on the unemployed and underemployed, often flooding sites like Craigslist and Monster with fake job openings and also scanning the site for job seekers who have posted contact info and spamming them. What makes this part of the spear phishing scam so sinister is that the mules aren’t just being scammed, they are money laundering, which is a serious criminal offense.

The FBI advises companies to confine their banking activities to a dedicated, locked down computer that is not used for any other purpose and isn’t allowed access email or everyday web browsing. A strong and constantly updated firewall is also a must.

Source: Sue Walsh November 2009

Here’s why these items are critical. Some recent malware attacks have used malware embedded in video and audio streams as a transfer. They can gain an initial foothold, so to speak, by managing to get a link to your users in a spam email. If your spam filter doesn’t block the message, a link in the email appears to be a video or audio link, but in fact the destination contains a trojan that is embedded in the content stream.

This method of attack isn’t exactly new. For example, the ZLOB Trojan began making rounds in 2005, and began gaining traction in 2006. Some attacks with it simply involved downloading other viruses or malware. Using a video link, however, for users that have their ActiveX controls set to download codecs automatically means that those users with poor virus protection would automatically download the virus and become infected.

Now, most of us won’t have this problem, right? Surely you and your users would, at a minimum:

Have host-based as well as network/perimeter-based anti-virus protection.
Keep your anti-virus signatures up-to-date for all your systems.
Not have your browsers set to automatically download and install ActiveX controls or codecs.
Have users trained, understanding not to install random codecs or ActiveX controls themselves.
Have in place strong anti-spam protection that may block messages from domains likely to send these messages.
Have perimeter security measures in place that detect and block or intercept malicious content as it appears.
Have users trained well on the risks of clicking unknown links, or going in search of suspicious content.
Have a proxy or firewall with content filtering in place, with a policy that prohibits visiting or traffic from certain domains known to be sources of malware.
Keep your systems patched with the latest security patches from your OS vendor and from your application vendors.
Frequently review your security protections and rules in place, and carefully consider before making changes allowing more permissive use and access to and from protected resources.
The most security conscious of us and those that keep current with security risks and trends in security technology may think that all of this is old news, that of course they won’t have any problems–and they may be right. I hope so. However, new small businesses and new business Internet users are appearing all the time. As these businesses grow and expand, they may have transition periods where their deployed technology changes and of course upgrades will happen sometime. At those times, extra vigilance is required. If you are brought on board during a transition period as an email administrator, network administrator or security administrator, be aware that such risks are heightened.

While the attempt to execute malicious code via a codec installation may seem to be old hat, consider that new vulnerabilities appear frequently. Consider that Windows Media Player can play streaming content, and couple that with the recent vulnerability MS09-047, Microsoft Windows Media Playback Memory Corruption Vulnerability. This vulnerability can permit remote code execution. Exactly the sort of vector needed by the sender of the spam we started this discussion with. A maliciously crafted Windows Media Format file pointed to by a link in a spam email. Granted, this vulnerability and other like it have been patched, and if you are up-to-date on your patches it isn’t actually a threat.

Where this can become a problem (and as far as I know it isn’t with this vulnerability) is when the patches interfere or conflict with mission critical applications and can’t be applied, and when system updates (unfortunately including some antivirus and security patches) that may require reboots can’t be done as soon as they are received. Testing and verification may be required in your business (and is a good idea if it’s not part of your routine) before applying new patches and updates. During this window of time, when the attacks are launched on “zero day”, till your patches are applied, your systems may be vulnerable. During this (hopefully brief) time period the sort of attack described at the beginning of this post could actually penetrate your security and wreak havoc. Follow the ten tips listed above, and minimize your vulnerability.

Source: Lee Clemmer September 2009

Although Conficker is the most well-known piece of malware that uses the default AutoRun settings to propagate itself, others have also used this feature in the past and continue to do so now. Spreading malware via USB devices started to become prevalent last year.

There will no doubt be some outcry about Windows 7 hampering usability, but the move makes sense. With this update, the AutoRun task will continue to work for removable media such as CDs and DVDs, but it will not be enabled for other devices, such as USB drives. In addition to being incorporated in Windows 7, the change will also be reflected in future updates of Vista and XP.

The spam contains a link to a site that contains a realistic looking Reuters news story and video. The news story reads much like this:

At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Amsterdam. Authorities suggested that the explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables. “It was awful” said the eyewitness about blast he heard from his shop. “It made the floor shake. So many people were running,”

“Amsterdam” changes to a city near the recipient, based on an IP lookup. The video, if clicked on, tells the user they must update a CODEC before it can be viewed. The CODEC is actually a Trojan that adds the infected computer to the Waledec botnet and downloads even more malware, scans the system for personal information, and attempts to send itself to the users in the infected system’s address book.

Despite the spammer’s attempts to personalize their spam and make their site look as realistic as possible, the poor grammar in their fake news story is a dead giveaway!

Source: Sue Walsh March 2009

Investigating the possibilities will ultimately save you time, money and the hassle of wondering “Is this email or website for real?”

Email your feedback to us via the contact us form.

http://www.hoax-slayer.com

All the Best!

Vangelis Solutions