i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Yet another Facebook Worm

Today another new attack on Facebook users with the Zeus Bot comes in action. Researchers at Danish security firm CSIS, have spotted a worm spreading within the Facebook platform. The new worm has popped up on Facebook, using apparently stolen user credentials to log in to victims’ accounts and then send out malicious links to their friends. The worm also downloads and installs a variety of malware on users’ machines, including a variant of the Zeus bot.

 

If followed, the link takes potential victims to a page where he or she are offered what appears to be a screensaver for download. Unfortunately, it is not a JPG file, but an executable (b.exe). Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare.

 
Zeus is a common tool in the arsenal of many attackers these days, and is used in a wide variety of attacks and campaigns now. It used to be somewhat less common, but the appearance of cracked versions of the Zeus code has made it easier for lower-level attackers to get their hands on the malware. Zeus has a range of capabilities, and specialises in stealing sensitive user data such as banking credentials, from infected machines.
The worm carries a cocktail of malware onto your machine, including a Zbot/ZeuS variant which is a serious threat and stealing sensitive information from the infected machine,” warn the researchers. The worm is hosted on a variety of domains, so the link in the malicious message may vary. Other servers are used to collect the data sent by the malware and to serve additional malicious software.

As always be very wary of any links that are posted to you on Facebook, even if they appear to be from your friends.  Also if you receive any emails asking for login details or banking details, or even if they just request your name and address be very wary.

  • If you haven’t asked for a password reset then a company won’t have sent you an email asking you to reset your password.
  • If you haven’t made a banking transaction recently then your bank won’t be cancelling it.
  • etc etc etc

Attack on Wampserver and WordPress sites

Kimberly from Stopmalvertising found the Blackhole Exploit Kit on the Website of the very popular Webserver software site known as WampServer.  WampServer is an package of web components bundled together for windows users, the name comes from the package of software (Windows, Apache, MySQL, PHP).
Almost at the bottom of the webpage the team discovering this found some Javascript requesting a file from jquery.googlecode.com. The URL is followed by a long string of parameters. The file returns a 404, it’s just there to fool people.

Once the script was decoded they found an iframe leading to vc-business.com/in.php.  According to the analysis of this, if a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 91.194.214.66/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 91.194.214.66 has been listed as distributing the ZeroAccess rootkit.

Another attack by Blackhole Exploit was discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool.  Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the sites.  But this is not the only way the attack was successful.  Another vector was to use stolen passwords to direct FTP changes.  In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

MAC Attack using Tsunami Trojan

A new attack against Apple MAC’s has been discovered and is being termed the “Tsunami Trojan”.

 

The newly discovered Tsunami Trojan is derived from an earlier Linux-infecting backdoor Trojan, called Kaiten, which connected back from infected machines to an IRC channel for further instructions. It appears Security firms are still in the process of analysing Tsunami but early speculation suggests it may be a DDoS attack tool.

 

“Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn’t mean the problem is non-existent,” says Graham Cluley security firm Sophos.

“We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying. My advice to Mac users is simple: don’t be a soft target, protect yourself.”

 

I would fully agree with what Graham Cluley says, many people think there are no Trojans or Virus’ for MAC’s but they are mistaken, and this article proves it once again.  No matter what operating system you are running, be it Windows, Linux or Mac OSX you should still look to secure it and keep patches up to date and run security software.

 

Don’t be one of the poorly protected computers spoken of above!

 

If you are a Mac user concerned by security Sophos currently offer a free antivirus solution available from their site for download.

Mass attack on websites running ASP.NET

Research has highlighted a mass attack on web servers running ASP.NET, the infection redirects users to site’s running old versions of Oracle’s JAVA, Adobe’s Flash and various browsers.  The attack was disclosed by security firm Armorize on Wednesday.

The initial attack is showing around 1.15 million infected pages and the follow on exploit around 17500 pages, figures shown are from Google searches.

The infection injects code into ASP.NET websites and plants an invisible link in to visitors’ browsers to sites including jjghui.com and nbnjkl.com, which in turn redirect to a number of other sites which include obfuscated code.  The sites use a number of attacks that exploit well known vulnerabilities in JAVA, Flash etc.  Computers running unpatched versions are then used by the attackers.

Armorize researchers submitted the attack code lastweek and at the time only six of the top 43 antivirus vendors detected the attack, hopefully this figure has drastically increased since then.

Another firm, Securi, has released a scanner that can detect if your site is infected, click here

If your site is compromised you must remove the infection from your database and audit ALL code to remove SQL Injection issues.

German Police using Droid Trojan to spy on citizens

A backdoor Trojan that is capable of monitoring online activity and recording Skype calls has been detected – and is allegedly being used by the German police force.

The courts in Germany have permitted the use of Bundestrojaner to record Skype calls if the police have the legal permission for wiretap.

The Chaos Computer Club (CCC) have been researching this and have stated that, “The malware can not only siphon away intimate data, but also offers a remote control or backdoor functionality for uploading and executing arbitrary programs.”

CCC also stated in their research, “The Trojan can, for example, receive uploads of arbitrary programs from the internet and execute them remotely. This means an upgrade path from Quellen-TKÜ to the full Bundestrojaner’s functionality is built in right from the start.”

CCC finished by saying that control of the PC is not only open to the agency or police force who put the trojan there, but due to poor design may allow others to take control of the machine too.
A spokesperson from CCC said, “We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities. The security level this Trojan leaves the infected systems in is comparable with it setting all passwords to ‘1234’.”

CCC said, “The clandestine infiltration of IT systems by government agencies must stop. At the same time we would like to call on all hackers and people interested in technology to further analyse the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt.

“Also, we will gladly continue to receive copies of other versions of government malware off your hands.”

Chief research officer at F-Secure, said: “We do not know who created this backdoor and what it was used for. We have no reason to suspect CCC’s findings, but we can’t confirm that this Trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

Security company Sophos have also stated that their research shows the trojan can be used to eavesdrop on a number of common applications like Skype, Yahoo Messenger and MSN Messenger.  It can also keylog from a number of common browsers such as IE and Firefox and can also take screenshots of the users’ screen.

F-Secure are detecting this backdoor as Backdoor:W32/R2D2.A. The name R2D2 comes from a string inside the Trojan ‘C3PO-r2d2-POE’

 

UPDATE UPDATE:

German officials have now admitted to using the the above mentioned Trojan to spy on citizens.  Officials from Bavaria and other states have admitted to using the trojan, which may be in breach of German wiretapping law.

Bavarian Interior Minister Joachim Herrmann believed the police acted within the laws parameters but will investigate the matter of R2D2′s use.
German law permits the use of spy software by government officials in order to combat terrorists and criminals. Wiretapping is legal but courts need to give the approval for its use in all cases.