Tag Archives: Trojan

Researchers Estimate 600,000 Macs infected by Flashback Trojan





For anyone who doubted that Apple’s long grace period with cybercriminals is over, doubt no more: On Friday, researchers at Russian antivirus firm Kaspersky confirmed findings from another security firm earlier this week that more than 600,000 computers running Mac’s OSX are infected with the Flashback botnet, and half of those machines are in the United States.


Krebs On Security

The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.



Kaspersky Lab

“The three month delay in sending a security update was a bad decision on Apple’s part,” said Kaspersky Lab’s Chief Security Expert, Alexander Gostev. “There are a few reasons for this. First, Apple doesn’t allow Oracle to patch Java for Mac. They do it themselves, usually several months later. This means the window of exposure for Mac users is much longer than PC users. This is especially bad news since Apple’s standard AV update is a rudimentary affair which only adds new signatures when a threat is deemed large enough. Apple knew about this Java vulnerability for three months, and yet neglected to push through an update in all that time! The problem is exacerbated because – up to now – Apple has enjoyed a mythical reputation for being ‘malware free’. Too many users are unaware that their computers have been infected, or that there is a real threat to Mac security.”


AOL Administration Center & Uniform Traffic Ticket Spammed Scams

“AOL Administration Center” spam comes from a spoofed email address this is a classic example of Canadian Pharmacy spam.

Full text of the bogus email, the # in the subject line changes.

From: “AOL Administration Center (R)”
Subject: AOL Administration Center Notification #73916

You have 1 notification (#73916) from AOL Administration Center
Please follow the instructions to continue.
The AOL Mail Team

Click here to opt out of receiving future promotional e-mail messages from AOL or go to AOL Keyword:
Email Preferences and unsubscribe. This screen name cannot respond to replies.

Click here for other Important Information about Commercial E-mail from AOL or visit http://about.aol.com/email_information.
AOL Email, PO Box 65627, Sterling, VA 20165-8805.

“UNIFORM TRAFFIC TICKET” spam has been around awhile and continues to do the rounds. The email has an attached file which contains a malicious Trojan horse.

Full text of the bogus email, the ID # in the subject line changes.

Date: Wed, 03 Aug 2011 12:42:23 +0530
From: “N.Y. State Department of Motor Vehicles”

New York State Department of Motor Vehicles


Local Police Code 5278


Time: 7:25 AM
Date of Offense: 10/10/2011

9690 Description of Violation

Ach ‘payment canceled’ spam

Resurgence of malicious ACH spam, the digit number changes randomly from email to email.

Keep your anti-virus application up-to-date and if the spam does arrive in the email box don’t click on links within or open any attachment.

The bad guys goal is to install a Zbot variant of a password stealing Trojan that also contains back door functionality. In other words the criminal gains unauthorized access and control of the infected computer.



Researchers obtain sample of ZeuS-SpyEye Banking Trojan code

Security researchers at Trend Labs have acquired the first sample of code, it includes “Anti-Rapport: A built-in option to evade Rapport Trusteer software” a security application offered to customers of many banks as a defense against banking Trojans.

A Closer Look at Rapport from Trusteer
29 April 2010

Mergers and Acquisitions in the Malware Space
26 Oct 2010

Malware aimed at employment opportunities posted on-line

Internet Crime Complaint Center (IC3)

Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online. Recently, more than $150,000 was stolen from a US business via unauthorized wire transfer as a result of an e-mail the business received that contained malware. The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company. The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as aBredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud US businesses.

The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions.


Manhattan U.S. Attorney charges 37 in ZeuS Banking Fraud

FBI Press Release September 30, 2010

According to Complaints unsealed today in Manhattan federal court, the cyber-attacks began in Eastern Europe, and included the use of a malware known as the “Zeus Trojan,” which was typically sent as an apparently-benign e-mail to computers at small businesses and municipalities in the United States. Once the email was opened, the malware embedded itself in the victims’ computers, and recorded their keystrokes—including their account numbers, passwords, and other vital security codes—as they logged into their bank accounts online. The hackers responsible for the malware then used the stolen account information to take over the victims’ bank accounts, and made unauthorized transfers of thousands of dollars at a time to receiving accounts controlled by the co-conspirators.

These receiving accounts were set up by a “money mule organization” responsible for retrieving the proceeds of the malware attacks and transporting or transferring the stolen money overseas. To carry out the scheme, the money mule organization recruited individuals who had entered the United States on student visas, providing them with fake foreign passports, and instructing them to open false-name accounts at U.S. banks. Once these false-name accounts were successfully opened and received the stolen funds from the accounts compromised by the malware attacks, the “mules” were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.

The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports for the mules, and money mules.

As part of the coordinated takedown earlier today, federal and local law enforcement officers arrested 10 of the defendants. Another 10 were previously arrested. The defendants taken into custody in New York today are expected to be presented in Manhattan federal court later this afternoon. Seventeen defendants are still being sought here and abroad.

Wanted poster of fugitives

Charges against each defendant and corresponding maximum potential penalties,

CyberCrime & Doing Time Blog: FBI’s Operation ACHing Mule

Nineteen Arrested in £20 million ZeuS Banking Fraud

Officers arrested 15 men and four women aged between 23 and 47 on suspicion of the Computer Misuse Act, Proceeds of Crime Act and Fraud Act.

Detective Chief Inspector Terry Wilson told the Mail that the Virtual Taskforce worked closely with several UK banks to gather the evidence and information needed to shut down the operation.

We believe we have disrupted a highly organised criminal network, which has used sophisticated methods to siphon large amounts of cash from many innocent peoples’ accounts, causing immense personal anxiety and significant financial harm – which of course banks have had to repay at considerable cost to the economy,

ZeuS Tracker: Monitor. https://zeustracker.abuse.ch/monitor.php?filter=online

Zeus botnet vendor toolkit vulnerability

Security researcher Billy (BK) Rios has discovered a vulnerability in the Zeus botnet toolkit which would allow the command and control channels to be hijacked. The C&C channels send instructions and software updates to compromised computers which often number in the hundreds of thousands.

In the spirit of responsible disclosure Rios attempted to inform the vendor, apparently to no avail.

With no other alternative and an email inbox full of spam, I have no choice but to provide full disclosure of the vulnerability to the public.

Full story: http://xs-sniper.com/blog/2010/09/27/turning-the-tables/

Malware targets Starcraft 2 Gamers

Microsoft Malware Protection Center
Malware Plays Starcraft 2

Starcraft 2 is gaining popularity not only for gamers but also for malware writers. We wrote about Starcraft almost two months ago when it was first released. Now, apparently, it is also being used as part of a social engineering technique by a downloader family called Harnig. Harnig is employed by many other types of prevalent threats (Bubnix, FakeSpypro, Koobface) to download their malware into computers.
Included in the Microsoft Malicious Software Removal Tool (MSRT) since October 2006, Harnig is one of the most prevalent malware families. In August 2010 alone, more than 140,000 files were detected as Harnig.gen!P.