Keyloggers Used in $400,000+ Theft

"Sholar said the unauthorized transfers appear to have been driven by 'some kind computer virus.'"

This is how Walt Scholar, County Attorney of Bullit County, Kentucky, describes what lead to $415,000 being stolen from Bullit County's bank. 

A malicious trojan keylogger is apparently to blame, but the cyber criminals definitely knew what they were doing. According to the Washington Post's "Security Fix" story on the trojan,

"'...the criminals stole the money using a custom variant of a keystroke logging Trojan known as "Zeus" (a.k.a. "Zbot") that included two new features.

'The first is that stolen credentials are sent immediately via instant message to the attackers.

'But the second, more interesting feature of this malware, the investigator said, is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection.'"

It doesn't really get much uglier than that, as that's enough to defeat all but the most complex bank and credit card consumer protections. As the piece goes on to point out, it's really only the commercial banks that have the resources to protect their customers with even more robust mechanisms.

"Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives.

"By connecting through the victim's PC or Internet connection, the bad guys can avoid raising any suspicions."

All-in-all, it's really a truly fascinating story with excellent coverage in the Security Fix blog, and it's a reminder of four things to me:

  1. run antivirus software (preferrably an Internet security suite)
  2. keep them updated
  3. listen to them when they complain

For a very brief version of the heist at virusbtn.com:
Keyloggers used to loot US county

For slightly more thorough coverage at theregister.co.uk:
Kentucky payroll phishing scam nets small fortune


Research into the Workings of Real Botnets

For starters, let's define what a botnet is:

Loosely speaking, a botnet is a network of computers which have been taken control of for the purpose of malicious use.

Typically, PC users whose computers have been compromised are complete unaware their computers are infected with malware. Once infected, the botnet operators have complete control of your computer and are able to use it to do their bidding, almost always without your knowledge.

Botnet operators use compromised PCs for things like: stealing credit cards, stealing banking passwords, sending spam, and identify theft. If your computer has been infected, your machine might be sending spam, and chances are you'd never know it.

"WHAT?! How is this possible?" some users ask. "Wouldn't I know when someone was on my computer when I'm already on it?"

No. You wouldn't know. Here's why:

There are a ton of different things running at all times on your computer without your knowledge. For instance, there's your network card that makes it possible for you to connect to the Internet; there are your USB ports that make all sorts of things possible like printing; there are the drivers that make your keyboard, mouse, sound card, and video card(s) work.

Each of these things is at work even though you don't know it. They all run silently in the background, (usually) obediently doing their respective job. You'd never really know your network card was receiving a signal, per se, you just know the Internet works.

Such is the case with botnet software: it works in the background, sending and receiving signals, all the while without your knowledge (especially if you're not running antivirus software.)

That's where this newly released botnet research data makes things interesting.

The folks at the Sandia National Labs in Livermore, California, are building a huge botnet research network of over 1,000,000 virtual machines on a Dell supercomputer.

With this research network, according to the New York Times, Sandia Labs plans to study how botnets work so they can be more effectively fought and defeated.

The reason it's so hard to figure out what's going on is because it's hard to get perspective on the networks. Sure, you might be able to see what's going on on an infected machine, or even a dozen, but given that botnets can easily exceed 1,000,000 computers, seeing what the entire network is doing (or at least a big chunk of it) is pretty much impossible.

"'When a forest is on fire you can fly over it, but with a cyberattack you have no clear idea of what it looks like," said Ron Minnich, a Sandia scientist who specializes in computer security.

"'It's an extremely difficult task to get a global picture.'"

Hopefully, the end result will be a much better perspective of how botnets work and a clearer understanding of what it takes to defeat them.


Sunbelt Software Joins Fight Against Malware

We came across some great news today on darkREADING.com: Sunbelt Software, makers of VIPRE, our top-rated best antivirus program for 2012, is joining Trend Micro and others in contributing data to StopBadware.org. 

StopBadware, which has its home at Harvard University's Berkman Center for Internet & Society, is described in the article on darkREADING's efforts to fight malware as a,

"collaborative initiative to combat viruses, spyware, and other bad software...."

The process StopBadware uses is perhaps the largest of its kind. The idea behind it is simple:

"...[collect] the URLs of these badware websites, whether malicious or compromised, from its data partners.

"It uses the information to support and encourage site owners and web hosting companies in cleaning up and protecting their sites.

"The initiative also conducts analysis of infection trends, offers independent reviews of its partners' findings, and operates a community website, BadwareBusters.org, that provides help to people who have been victims-or wish to avoid becoming victims-of badware."

Obviously, we're happy to see any collaborative effort to thwart and stop any viruses or other malware, but this one garners special attention for several reasons, including who's involved:

  • Trend Micro (maker's of Trend Micro AntiVirus)
  • GFI/Sunbelt Software (makers's of VIPRE antivirus)
  • Harvard's Berkman Center
  • Paypal
  • Mozilla (maker's of Firefox and Thunderbird)
  • AOL
  • ...and last and not least:
  • Google

  • As for Sunbelt's role in the project, they will be contributing,

    "...research data via ThreatTrackT, a comprehensive array of malicious url and malware data feeds.

    "The data in these feeds is derived from multiple sources including: research from Sunbelt Labs; ThreatNetT, Sunbelt's VIPRE user community that anonymously sends information on potential threats to Sunbelt Labs"

    What this means to users like you and me is that by sending malware and viruses that your Trend Micro AntiVirus and Sunbelt VIPRE catch to the respective companies, you're helping the project to ensure someone else doesn't get nailed with that same--or a similar--virus.

    In turn this means that when many people across the globe are sending in their samples to the project, too, they're helping you.


    Microsoft ActiveX Bug Targets Internet Explorer & Excel

    Sad to say, the bad guys are at it again.

    Computerworld brings news of a new, as yet unpatched ActiveX bug that's being exploited to compromise PCs.

    Already because of these attacks, threat conditions have been raised by several antivirus vendors including, Sunbelt, makers of VIPRE; Symantec, makers of Norton AntiVirus; and makers of McAfee VirusScan.

    Antivirus Vendor Threat Details Page
    Sunbelt Sunbelt Security Blog
    Symantec Symantec ThreatCon
    McAfee McAfee Avert Labs

    Additionally, SANS.org's ISC (Internet Storm Center), temporarily went to condition yellow, with the release of this ISC Diary Entry called, Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution.

    Here are some key highlights from ISC's Diary entry,

    • "The vulnerability is being actively exploited on web sites."
    • "One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX." [AVR Editor's Note: If you haven't already tried Mozilla Firefox, we recommend you download Firefox and give it a try.]
    • Attack vectors include,

      "A .cn [Chinese] domain using a heavily obfuscated version of the exploit." [AVR Editor's Note: The key word here is "obfuscated." You may not even know you're on a Chinese domain being infected with this virus when it happens.]
    • Another attack vector mentioned was, "A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML.

      "This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient.

      "Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server."

    Regrettably, as with many things, the bad guys beat Microsoft to the punch, and a patch for the security vulnerability hasn't yet been released.

    In the mean time, Microsoft has a manual Active X Vunlerability Workaround [AVR Editor's Note: Look for 'Enable workaround' beneath the 'Fix it for me' section'.]

    Here are further details of Microsoft Security Advisory on the MS Office ActiveX Vunerability.


    Is free antivirus software worth it?

    That may sound like a funny question, but it's one worth asking.

    I'll avoid the cliche of, "you get what you pay for," because all too often in life that's just not true. Often you end up with something wonderful and inexpensive or something that's mediocre and expensive.

    Instead I'll quote David Hall, Symantec's Asia-Pacific Customer Manager, who said in speaking to BLORGE (a self-described "team of experienced writers from around the world") recently about free antivirus software,

    "'Imagine what it must be like for somebody who is not actually charging to be able to pay their security researchers to be able to keep up.

    'We’ve made more virus definitions last year than we have in the last 10 years.'"

    This is only half the battle as far as we're concerned.

    We've discussed the topic of free antivirus software reviews on our site before, and now that Symantec's exec has also shined some light on the subject, I felt it was a good time to add some other considerations to the subject.

    Another significant thing about free antivirus software is: what's missing from free antivirus software?

    As we've shown in our reviews and our new head-to-head antivirus comparisons, there is a huge difference in support from one antivirus vendor to the next.

    And, it's not even a case of you-get-what-you-pay-for, as the software we've rated the 2012 best antivirus software, VIPRE, is also one of the cheapest antivirus software applications made and it has the best support, too.

    That said, back to the question: what is missing from free A/V programs?

    Some free antivirus programs are lesser offerings from commercial vendors. The biggest "gotchyas" with such offerings are:

      consideration what it means to you
    1. Are you getting the maximum protection from the free version of a company's software? Free antivirus software from commercial vendors are "stripped down" versions of their commercial software offerings.

    What protection are you missing with these stripped down versions?
      1. rootkit detection
      2. IM/chat client protection
      3. firewall software
      4. antispam
      5. identity protection
    2. Commonly, things like:
    2. Where do you turn for support? Commonly, there is little, if any, real support for free antivirus software.

    You're at the mercy of: the search engines, forums, newsgroups

    If you can't get the answer there, you have no alternative short of taking your computer in to your local computer repair center, i.e. Best Buy, etc. or calling your geek friend/relative/neighbor.

    [With the former, you're always going to be paying *far* more for the support from a repair center than you would have paid for commercial antivirus software to begin with.

    With the latter, the geek friend/relative/neighbor, we're (almost) always happy to help the first time or two that it happens, but after that, believe me, offering free tech support to friends/family gets old. Fast.]

    You're also at the mercy of their relative skill levels, too, and as good as they may advertise themselves as or seem to be in speaking with them, do you really want to trust the removal of a virus to someone who isn't an antivirus technician?
    3. What about licensing? With many free antivirus programs, you can only use the free versions in home and non-commercial environments.

    This means if you work from home, many free A/V programs cannot legally be used.

    [Sure, maybe you're "fine" using this software as long as you don't get caught, you justify to yourself, but that's not the point.

    If your livelihood depends on the software, and it's not to be used in a commercial environment for free, you should pay for it. Otherwise you're stealing.]

    Microsoft Security Essentials / Morro

    What about Morro / Microsoft Security Essentials, the new free antivirus software from Microsoft?

    In the same article at tech.blorge.com, Symantec's Hall says,

    "'Microsoft’s free product is basically a stripped down version of the OneCare product Microsoft pulled from retail shelves.'

    'Consumers don’t need less protection, they need more.'"

    Agreed. In 2009, the threats to consumers' and business' computers from viruses, worms, trojans, and such are only getting smarter, more prevalent, and harder-to-detect.

    There are so many important considerations with antivirus software, but here are just a few:

    1. prevention / detection of:
      • viruses
      • rootkits
      • spyware
      • worms
      • trojans
      • keyloggers
    2. Fast antivirus updates
    3. (and updates to all of the above, too)
    4. Tech support in ways you need it
      • Phone
      • Chat
      • Email
      • Knowledge base
    5. Ongoing development

    6. (Microsoft, for instance, abandoned OneCare, their previous A/V offering. What will happen with Morro / Microsoft Security Essentials given that it's free? Microsoft is definitely in business to make money, but how can they with a completely free product? Or will they start charging for it? Or will it, too, get abandoned and see no ongoing development?)

    The bottom line is this: is protecting your computer from viruses and other security threats worth $20 or $30 a year?

    This might just be a case of "you-get-what-you-pay-for" after all.


    Kaspersky Labs Wins Precedent-Setting Case Against Adware / Spyware

    Late June brought a victory--and some delightful news--to those looking to put a little sanity into the adware / spyware front.

    It should be no surprise to regular readers that we feel that labeling adware as spyware is a logical thing to do. While many adware purveyors take umbrage at the notion that they're spyware, since many don't report the visitor's activities back to a central server, we don't.

     That's splitting hairs as far as I'm concerned. 

    Any software that records your actions and, no matter how loosly, takes action now or later based upon what your actions are/were, that software is spying on you--even if it's just serving ads.

    What's important about the Kaspersky legal victory is that it deals with the adware/spyware Zango.

    According to the Kaspersky press release about Zango, where Kaspersky Lab Americas President, Steve Orenberg says,

    '"...we feel it’s our responsibility to warn a user when we classify an application as malicious, thus giving the user the choice to stop the application or let it run.

    "We are thrilled with the outcome of this case because it supports the key message of the information security industry ‐‐ consumer protection comes first and that a legal suit cannot force a vendor to classify a potentially malicious program in a certain way."'

    What Kaspersky was hoping for, and got, was so-called "Good Samaritan immunity."

     This means Kaspersky's users can be notified if this software is on their computers via the Kaspersky Antivirus spyware detection mechanism (which we rate highly). At that point it's up to the user to keep or block Zango. 

    What the court decided, among other things, is that it's your choice.

    This is a real victory for anyone--software vendor or consumer--who wants to keep crapware off their computers. Zango isn't a virus to be sure, but it may be spyware, and it's most definitely adware.

    If you want Zango, and you're running Kaspersky antivirus software, keep it; if you don't block it. Seems logical to me.