Not a full 24 hours after the tragic assassination of Benazir Bhutto, former Pakistani Prime Minister, malware authors have begun to take advantage of the news in order to attempt to deliver their always malicious payload. This one arrives via infected website that claims to have a video of the assassination. There’s only one problem, you need a new codec to play the video, and that new codec is actually malicious JavaScript code which downloads additional malware.
Today the Dutch have arrested 14 suspected money "mules" involved in a money laundering scheme. These mules were involved with none other than our buddies over at the RBN, or Russian Business Network who is notorious for hosting many sites that serve up malware and phishing fronts. This time operating from their newly acquired Hong Kong servers the heads of this operation were luring in account holders of the ABN AMRO Private Banking community. After phishing their account information, money was directly routed from their accounts to the mules' accounts, and from their forwarded on to Russia, as well as other countries. This seems pretty obvious that you're a fall guy in this money transferring situation, and to not realize that you are the first one in line to go to prison while the people that are actually receiving the stolen funds from you are often in the clear, seems a little dim-witted to me. Oh well. Though in their defense, they could have been a victim of a very recent recruitment scheme pretending to be the Red Cross looking to hire "donation collectors". I guess when you mix desperation for money with laziness, or the inability to work, you may be able to find quite a few people easily talked into this sort of thing.
On another phishing related side note the authors of a very popular underground phishing tool known as Pinch were arrested and are awaiting trial. The tool's several variations were very "professional" as was the way it was sold and supported in the underground. It was a trojan that could easily root its way into most computers and begin uploading account information to the controller computer. The software had very easy to use tools that would parse the data, and make online theft a breeze. Good Riddance.
A new botnet distributed rival for the Storm Worm has really been making a name for itself. It's known as the Pushdo family of Trojans. Much like Storm is known for doing, the Pushdo family distributes itself via fake e-cards, and attachments pretending to be pictures of nude celebrities.
The author obviously took a look at what Storm was doing and decided to replicate much of its behavior. We saw the first evidence of Pushdo in early September, 9 months after Storm's debut.
The Pushdo author would take great care to vary the trojan's code each time it's been released to avoid generic detections. They would do things such as changing up the first sets of bytes in the code, or add junk instructions, or simply reorder all of the commands and calls to its API core. This has been very effective, and has ensured that at least an initial wave of these reach their targets with each realease, due to the fact that AV vendors were acting strictly on a reactionary basis.
Once inside your machine's memory, this trojan attacks Windows based PCs beginning by acting as a malware dropper. It analyzes your system to decide on the best to drop according to what you're running software wise. It then takes a hold of your browser to download additional malware to the party. Not to mention the system files it drops to remain stealthy. A very familiar route nowadays.
Starting in the early (to me) morning Monday, we began noticing much higher traffic patterns than normal. As it turned out it was a bot directory harvest attack. It's goal to collect valid email addresses for use in later spam campaigns, or possibly to sell to other spammers. The difference in this particular attack was in the way it was programmed to handle the initial SMTP transaction call and response.
Normally with obvious bad traffic, "...we just tell them to go away and it gets logged and everybody is happy. This new botnet does not take no for answer. It is programmed to come back and retry every 2 seconds on the dot, right down to the millisecond. It does not listen for SMTP prompts. It just simply times where the smtp prompts would be normally and tries to push spam data through. One thing it does seem to be listening for is valid "rcpt to" addresses in attempt to acquire more addresses to spam in the future. Pretty smart and rude at the same time.", says Joel Smith CTO of AppRiver.
I'm willing to bet that this was initially a mistake made on the part of the code monkey that wrote it, considering its extreme inefficiency. Normally spammers would rather slip in under the radar instead of exposing all of their brand new IPs to the world's RBLs before they even have a real chance to use them.
I have read reports from all over including the UK and Germany citing this wave of inadvertent "attacks", leading me to be sure of its botnet origins, and its untargeted nature.
These 419 scam artists can be so crafty at times. Not only have they deviated away from what was essentially a scam form letter to sometimes harder to spot scams, but they have been seen recently incorporating a bit of hacking into their repertoire.
Scammers have been seen recently stealing log-in information for email accounts. They then use the victims account to email everyone in their address book asking for personal loans. Which seems like a good plan, but they always seem, no matter how clever this new scheme may be, to add an idiot quality to their plan. Most of the purported scams of this nature have asked for loans of around $2500 in order to get out of a hotel in Nigeria. That must be one posh hotel assuming your moron friend would have already purchased a round trip ticket. And who hasn't always wanted to go vacation in Nigeria? Mmm, rampant crime and big game, who's gonna eat you first?
A new warning for those of you that happen to find themselves on online dating forums. A new fairly complex bit of malware has been found making its rounds in the Russian circuit. It's called CyberLover, and it's goal is to steal your information. Gold-digging Robots?!
Apparently CyberLover's artificial intelligence is so good that people have a very difficult time differentiating the bot from actual real people in a chat window. The guise that you are talking to a real person may be enough for most people to lower their guard and do things they normally wouldn't do. Mike Greene, vice president of product strategy at PC Tools says, "People are used to not opening attachments or maybe not clicking on a link that shows up in their IM," he said. "But this emulates a real conversation, so you more are likely to give over personal information, click on a link or send your photograph."
Apparently the software works pretty fast too, setting up 10 new "relationships" in about a thirty minute time span. It collects information such as names, contact information, and photos on everyone it meets.
Among CyberLover's creepy features is its ability to offer a range of different profiles from "romantic lover" to "sexual predator." It can also lead victims to a "personal" Web site, which could be used to deliver malware, PC Tools said.
So far CyberLover hasn't made it out of Russia, but it is expected to make its worldwide debut here shortly. Likely in February, around the 14th, I bet.
Two researchers at Texas University released a paper recently citing the ability to use what appears to be benign supposed anonymous information, or 'micro-data', coupled with other outside unrelated sources to de-anonymize the source. If that confuses you as much as it did me to write, stick with me.
The researchers proved their point by taking the NetFlix Prize micro-data database that simply contained a listing of movie ratings of 500,000 NetFlix subscribers sans names. This information is public domain, as most micro-data is nowadays, used for data-mining research et al.. They then took the individual's movie tastes and linked these quasi-identifiers to other public records and were able not only to come up with names, but in some cases, addresses, social security numbers, and other potentially unsafe information.
Ok, I know you want them, so here are a couple examples of de-anonymizations of the recent past.
A Massachusetts hospital's discharge list was coupled with the state's public voter database to reveal sensitive information on the the patients. Or the best of all happened last year when America Online's chief technology officer resigned after a massive dataset of 20 million searches performed by 658,000 people was published for use in research. The data was believed to be anonymized, but revealed sensitive details of the searchers private lives, including Social Security numbers, credit-card numbers, addresses, and, in one case, apparently a searcher's intent to kill their wife.
Take it how you'd like. I found it interesting, it does make sense, but I can think of much easier ways to get someone's sensitive information. Sometimes all you have to do is ask.
Posts
All Comments
