SpyEye is Back to Steal Your Money

Back in 2010 a very clever and sophisticated botnet hit the hacking world called "SpyEye." Over the next couple of years, this malware package has been responsible for over $100 million dollars stollen from small to mid-sized business in the US and abroad.

What is SpyEye?

If it weren't so evil, it would be incredibly genius. Basically, it's a software package that can be modified to do many different (and devious) things. It can be sold, bought, and passed around from hacker to hacker where they can easily modify the source code to do their bidding.

Here's just a few examples of what SpyEye, and the off-spring of SpyEye can do:

  • Form-grabbing -- steals any information you enter into a browser form: like banking websites.
  • POP3 Grabbing -- steals your POP3 email credentials to harness your email client for all kinds of nasty business.
  • FTP Grabbing -- steals your FTP login credentials in order to hack into your servers.
  • CC Autofill -- looks like a legitimate credit card form field, but ultimately steals your credit card information.
  • PHP-MYSQL -- hacks into your server database to gather virtually everything your business has in the db (which is almost always everything).
  • Invisibility -- Invisible in processes list, hides itself as a hidden file, invisible in your registry.

SpyEye was the basis for the infamous "Zeus" bonnet that stole millions of dollars.

That's just the tip of the iceberg. If stealing your bank information (and money) wasn't enough, there's a new version of SpyEye proving to be even more frightening.

Early detections show that this new version tricks you into installing a small bot that takes control of your webcam and microphone. Why? According to Dancho Danchev of ZDNet, this looks like a testing ground to break into the facial recognition login feature that banks may use in the future.

That's right, this SpyEye version is trying to get ahead of the game by figuring out out to hack facial recognition software when/if it becomes a reality for online banking.

We'll have to wait and see if that comes to fruition, but the point is, hackers are alive and well. They're looking forward for security breaches, as well as new technologies to exploit.

Well, almost all of them. The good news is, authorities in many countries are taking cybercrime very seriously. Just recently, British police busted a Baltic hacker trio that was actively stealing from UK banking customers. They got away with over £100,000 before they were caught, but this was only three guys.

Earlier this year, Microsoft, led by US Marshals, seized a cache of botnot servers which were utilizing over 800 domains to steal banking info.

The other good news is, antivirus software companies quickly moved to block and protect against future SpyEye and Zeus hacks.

If your antivirus software is up to date, chances are you're probably fine. But don't get too comfortable, being protected by software is just the first step. You need to be a smart user and be wary of clicking on suspicious links -- either online or in your email. SpyEye is sneaky and doesn't always look like malware.

People have been fooled into clicking fake Justin Bieber news, fake Facebook pages, and other dirty tricks. Resist the urge to instantly click on a link. Hover over it. Does it look legitimate? Do you know who sent you the email? If Justin Bieber was really in a car crash, you can easily confirm it with a simple search.

Stop, think, be cautious. That's just as important as having good antivirus software.


Mac OS X Flashback Trojan Fix in the Works by Apple

Today Kaspersky's Dennis Fisher brings news that Apple is developing a Flashback Trojan Fix.

First a little clarification about the trojan: this infection is caused by a security flaw in Oracle's Java and isn't a whole per se in OS X. That said, the biggest surprise about the trojan for most people is that Flashback has been around in one form or another for more than six months now.


As most of us know by now more than 600,000 Macs running OSX have been infected, so this isn't a tiny one-off threat. It's a bona fide Mac botnet.

This is really the first time Apple finds themselves in a position Microsoft has long ago mastered: how to handle the three prongs of dealing with a virus outbreak,
  1. customers
  2. security researchers
  3. virus writers
As for the official word from Apple, there's now a document on Flashback malware at Apple's support site.

Unfortunately, it's really nothing more than, Apple is developing software that will detect and remove the Flashback malware.

They do, however, give a good link on how to disable Java in your Mac's browser preferences.

Personally, I don't have Java enabled--never have--and if I find there's some content that requires Java, I turn it on manually for that one site then disable it again.

After all, Java is not the same as Javascript, and since so few sites rely on Java, there's very, very little you'll be missing out on by disabling Java altogether, and heck, if you need it, turn it back on, and shut it off when you're done.


Nearly 600,000 Macs Hit with Flashback Trojan Malware

Many a blog have I written about the necessity of Mac antivirus software, hoping to get at least a few people to drop their delusions about how the Mac and Apple's OS X are impervious to viruses.

Now, don't get me wrong, I'm not trying to start a PC vs Mac flame war/battle. Really. (They're useless.) Nor do I want this to be an, "I told you so."

What I am saying is this: If it has a CPU, chances are at or near 100% that a virus can be written to attack that computer. It's only a matter of time 'til it happens. And, yes, some computers, operating systems, and software are inherently more secure.

Even still, it's important to realize "more secure" doesn't mean "secure."

In a way, we should consider ourselves lucky, like the MacDefender fake antivirus malware, this one is also getting a lot of coverage in the press and elsewhere, so it's raising the specter of viruses being mainstream for the Mac like they are for the PC.

And with that knowledge comes greater understanding of what can be done to protect ourselves. In this case the understanding came because Russian antivirus firm Dr Web uncovered the 550,000 strong botnet that spread via Trojan Backdoor.Flashback.39.

F-Secure also has a good write-up / manual removal instructions on how to remove the Trojan-Downloader:OSX/Flashback.I.

And, if you're a Mac user and you haven't yet gotten it, Apple has an important Java security update. (A Java exploit being the channel through which trojan is infecting the Mac to begin with.)

My $.02, if you're looking for antivirus software for your Mac, our testing is incomplete, but so far we like BitDefender Antivirus for Mac, so if you're in the market, take a look.


Turns out this Mac Trojan isn't some little deal. The folks at F-Secure have found out Mac Trojan Flashback.B Checks for virtual machine!

What's so significant about that?

Nearly all antivirus researchers rely heavily on virtualization software like Virtual PC, VMWare, Parallels, VirtualBox and others to help their research.

Using virtualization software allows the researchers to investigate viruses with the added safety net of doing so in a contained environment. And, in doing so they're able to more easily explore the innards of many viruses.

The malware writers for Windows have figured this out, and many of the most advanced viruses check to see if their virus is running inside a virtual environment and, if so, they shut down, thus making research slower, more tedious, and a lot more difficult.

This is one of those things that's been going on in the Windows virus arena for a long, long time. What's really unexpected though is that it's already showing up in a Mac virus, which on a couple of levels means virus writing is a lot more advanced for the Mac than many virus researchers--and certainly the general public--ever imagined.

The bottom line: if you're running a Mac and you don't have Mac antivirus software, it's time to consider it.


Zeus Botnet Sting Lead by Microsoft

The good guys are always happy to see when there's any positive action towards stopping a botnet--particularly when the action is strong, like Microsoft's "Operation b71."

SecurityWeek.com has a great story of the Microsoft Zeus Botnet Sting. As you might expect, there's a lot of cooperation between different companies and agencies needed to take out this kind of thing.

Here's the guts of the takedown story,
Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois.

"The move, which Microsoft said was its 'most complex effort to disrupt botnets to date,' was to seize and preserve data and evidence from the botnets to use in a case against multiple botnet operators.

"In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus.
What caught my eye here was the scope of the botnet operation. Eight HUNDRED domains.

Figure if the domains cost $5-$10 each, the domain names alone cost $4,000 - $8,000, so there's no doubt if the bad guys are spending that kind of dough just on the domain names, they're making real cash from the botnet.

As much as most people would hate to admit it, it is a business. (It's a business most of us wouldn't touch with the proverbial ten foot pole, but it is a business.)

Unfortunately, it's not the end of Zeus. Not even close. Was it a setback for the operators? Yes. The end? No.

Just how nasty is the Zeus Botnet? Here's a quote from the current Wikipedia page:
While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain - stealing online credentials such as FTP, email, online banking, and other online passwords.
In other words, the bad news is, it's meant to give the bad guys total control of your PC.

The good news is, antivirus programs are able to prevent, detect, and remove the threat.

The one other bit of bad news though is that even though antivirus software can detect and remove the bot, it's very, very hard to tell if you've been infected without the latest software and signatures.

In other words, because it's such a well-designed bot, if you're not running up-to-date antivirus protection, chances are you'd never even know your PC had been infected. To the bad guys credit, it's a very well designed piece of software and is known for its clever design and stealth.

If you're so inclined to learn about the legal proceedings, full details are at: www.zeuslegalnotice.com.


Ask the Experts: Do I Need Antivirus Software?

Martha tapped a note out to us today that asked,
I'm 73 years old. My grand kids have been getting after me a lot lately. They want to me to put some of that antivirus software on my computer. I don't know a thing about this stuff. I don't understand why I even need it. I use my computer for email and reading the news.
Here's my reply: (with a little extra added here for clarification)

Thanks for writing, Martha.

I'm glad to hear your grandkids have been after you to get antivirus software. They're wise beyond their years. :-)

The first question here is:

Do I need antivirus software?

Since there are so many different ways a computer can get a virus, the question to ask to decide if you need antivirus software is:

What would happen if your PC got a virus?

The main risks of viruses are that they tend to be:
  1. destructive
  2. personally invasive
  3. resource thieves
The first thing is easy to understand. Viruses can delete your files.

If you have nothing of value on your PC, there's no risk here other than the time and cost for a PC shop to restore your PC and get it back into a working state.

On the other hand, if you do have things of value (real or sentimental) on your PC, maybe photos, music, emails, or the like, what would be involved in restoring those files, assuming it's possible?

As for viruses being personally invasive, it means viruses can steal your files, your data, and under the right circumstances even your identity.

Ditto here. If there's nothing of value on your PC, the risks are the time and cost of repair. If you use your computer for things like online banking, doing your taxes, or medical-related stuff, what's the risk of this information falling into the wrong hands?

The last one, resource theft, means viruses can burrow their way onto your PC and can make your computer a part of a "botnet".

Botnets are often used for sending spam, so if your PC gets sucked into a virus botnet, it's pretty likely someone would start using it to send their spams, probably without you even knowing it.

Even if there's truly no risk of data loss or theft (which isn't really the case, but assuming it is), if your computer is in a botnet, it's definitely being used for malicious purposes, something most folks don't want.

As to how you get a virus, there are a lot of ways computers get viruses. These days, the bad guys are resorting to taking over legitimate websites and using clever tricks to confuse people--or their computers--to installing their viruses.

How you get a virus is actually less important than what would happen if you got one, which is the real question to ask yourself if you're trying to figure out if you need antivirus software.


Ask the Experts: What's the difference between antivirus and Internet Security software?


Easily one of the most Frequently Asked Questions we get is,

What's the difference between antivirus software and an Internet security suite?

Right on the heels of that is the next one, Is the upgrade worth it?

Each security software company puts their own spin on things, but generally it boils down to the addition of two critical features:

  1. firewall software
  2. malicious website filtering

firewall software

Creates a virtual "moat" between your PC and the Internet (or the rest of a network if you're on an open wireless network somewhere like a coffee shop or the airport.)

Sure, some malware can beat a software firewall, but it's another layer of defense to help keep your PC safe.

The other benefit to the best firewalls: you can record (and block) traffic both going to your PC and traffic leaving from it, too.

What's the point?

You'd be surprised how many programs are installed on your PC that make connections all on their own to check for updates, etc. Viruses, worms, keyloggers, spambots, and other malware do this, too.

So, if you suspect a virus may've infected your PC and gotten past your antivirus software, a firewall can help you track down if and when it's making connection attempts from your PC back to a master server somewhere.

malicious website filtering

You're out reading some news and checking out your favorite sites. Maybe you're clicking around and visiting some sites you've never been to, maybe you just made a typo did "yuorbank" instead of "yourbank."

Who knows.

In either case, the bad guys are on the prowl and are:

  1. secretly taking over legitimate sites and installing their viruses onto them
  2. buying domain names that are typos of legitimate sites
  3. sending spams and phishing emails

Regardless of their method, the bad guys are out there, and malicious website filters (including anti-phishing ones), like a firewall, can give you one more layer of protection before the actual virus detection part of antivirus software has to come into play.

Is the upgrade it worth it?


In a lot of cases when it comes to technology, there's wiggle room in an answer. In this case though, the "Yes" is clearcut.

Sure, these two features will cost a few bucks more, usually about $10. The $10 is well spent though, since you're getting real benefit from it.

The $10 isn't just fluff on a fancier name; it's $10 on--at least--two different security technologies that you don't get with most basic antivirus protection.

And, they're two technologies that can make all the difference between your PC being compromised (and all the clean-up time, expense, and mess that goes along with it) and not.


TDSS Botnet Has a Firefox Add-On?!

Too weird and too bold to be true, yet still true.

The TDSS botnet, regarded as the most sophisticated threat today according to Kaspersky Labs, makers of Kaspersky Antivirus.

And now, apparently the botnet is proving to be such a menace and so difficult to detect, its creators have even gone so far as to create a Firefox Add-On to make it easier for anyone using the botnet for anonymous surfing to switch from one hijacked connection to another.

Brian Krebs has more detail on the TDSS Rent-a-Bot Botnet Details.

What's so scary about this aspect of the TDSS botnet, which appears to be capable of being used for anything you can imagine, is that this part of it means you can have someone surfing the web as if they're using your computer to do whatever they want.

Here's a screenshot of a few of the infected PCs being rented for web proxy service:

The evil possibilities are endlesss.

Imagine what you could never imagine you doing yourself on your computer. Imagine what you'd never want your computer being used for. Now, imagine someone else is doing these things on your computer. And you don't even know it.

In my mind, I'd call Kaspersky's assessment spot on.

And if as you read this you're thinking to yourself, "Oh, but I know my computer isn't infected. I'd know it! Pfft. I don't need antivirus software." Sure about that, are you?

Sure enough that you can explain why your computer was downloading illegal pictures at 3AM? Or pirated Hollywood movies? Or stolen data from a military base?

You're that sure, are you?


Move Over Tom Clancy...A Real World Thriller: Stuxnet


An incredible piece at Wired.com, "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History", details the jaw-dropping, almost impossible to believe international tale of how researchers for Symantec (makers of Norton Antivirus and Norton Internet Security) tracked down and reverse engineered the Stuxnet worm.

It's a long piece that I thought I'd glance through at first, but that I found myself reading every word of.

Hat-tip to Kim Zetter for some incredible reporting and equally good story telling.
...the answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.
Satellite image of the Natanz nuclear enrichment plant in Iran taken in 2002 when it was still under construction.

Image source: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/


$250,000 Reward for Information about the Rustock Botnet

Microsoft made an announcement in their blog today: $250,000 for Rustock botnet information
This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it.

"While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions.
Why has Microsoft put so much effort into this particular botnet?

In part because of the serious damage it has done. By Microsoft's estimation, the botnet had capacity for sending 30 billion spams. A day.

Bear in mind, too, that this is after Rustock was taken down through a huge international effort that marshaled industry and academic researchers, legal teams, and governments to do so.

So, what does all this mean?

My own take is that they may never capture the folks responsible, and a lot of infected machines are still out there, mostly unbeknownst to their owners, no doubt, so there's still a lot of work to be done.

My belief is that the botnet will take many years to die completely, because most of the people who're running infected machines aren't running antivirus software, and if they haven't noticed their machines are infected by now, they probably never will.

Thus, they're unlikely to install some and remove the botnet from their PC.

In which case, it'll only die when the infected PCs themselves go to the scrapyard.

In the mean time, at least the technological solutions in place should make it very hard for the infected machines to come back to life and spew more spam.

More information on the $250,000 Rustock award.


TLD4 / TDSS an "Indestructible" Botnet?

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today.
That's a quote directly from Kaspersky's analysis of the TDL4 / TDSS bot.

No matter where you look, this botnet is making news. And it's making even the Conficker/Downadup worm that made big news last year look pretty tame by comparison. Why?

TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center.

TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Translation: the TDL-4 is great at hiding itself and great at hiding viruses and other threats from antivirus software.

The TDL software itself isn't particularly new, but what's interesting about it is how its creators have evolved it over time, making it harder to detect and stop with each version. This latest version, TLD-4, for instance, is now able to infect 64-bit systems.

So, if you had any sense of additional security from the fact that most viruses still weren't able to attack 64-bit systems, those days are gone.

This botnet is clearly not something garden variety. Kaspersky's researchers go on to say,
The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies.
What makes it so hard to detect to begin with is that it's a "bootkit": it infects the Windows MBR Master Boot Record.

And, because the MBR is infected, it runs before the operating system even starts. Huh?

Exactly, and as The Bard says, "there's the rub." Because it's activated before the OS starts, it's also running before your antivirus software, too.

So, how the heck do you detect this thing, much less get rid of it?!

As of the writing of this piece, it's somewhat hit-or-miss as to whether or not a given piece of antivirus software will remove it if you've gotten it. So far, it looks like all the best antivirus software manufacturers have updated their software and/or signatures to detect it.

Even still some of them, including Norton and Kaspersky are considering this such a big threat, they're making specific Popureb / TDL-4 / TDSS removal tools.

Norton Bootable Discovery Tool
Kaspersky Anti-rootkit TDSSKiller

Microsoft's initial advice to remove Popureb (as Microsoft is calling it) according to a Computerworld.com piece was,
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state.
This is inline with what Microsoft was telling customers in early 2010 when the Alureon rootkit was first making the rounds. MSRC (Microsoft Security Response Center) director Mike Reavey said at the time,
If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.

Depending on who you ask, this is either overkill or, really, the best, most cautious approach.

One researcher for Symantec, Vikram Thakur, says,
When you fix the MBR, you pretty much expose the threat itself to other applications, including antivirus applications. They can then pick up on the threat, and delete it.
If you have any suspicion that you've been infected, a great tool to ferret out a rootkit is, GMER (version as of this writing.)

If you get bad news from GMER it'll look like,
As far as an official Microsoft response, the Microsoft Technet blog on Popureb.E says,
If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.

Here's how to fix the MBR by hand:
  1. Open a Windows Recovery Console
  2. Use the tool BOOTREC.exe1 to fix the MBR as in:

    bootrec.exe /fixmbr

  3. Restart the computer and you can then scan the system to remove any remaining malware.
Notably, Microsoft adds a critical part almost as an afterthought, If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.

The bottom line with this thing is, it's no joke. As the Kaspersky researchers put it, it's "the most sophisticated threat today."

If you've been infected, we'd suggest trying to ferret it our first with your antivirus software. If that doesn't work, look to some of the other methods like the GMER and the specific removal tools like those from Symantec and Kaspersky. 1More info on BOOTREC.exe.