Banking and Virus Scanning with a Live CD

Last week, Brian Krebs of the Washington Post blogged here advising business owners to perform online banking using a live CD. This excellent advice (IMHO) created quite a stir over the last week.

Essentially, banking on a live CD prevents you from becoming susceptible to Windows viruses, while at the same time loading a fresh, non-compromised OS each time. This can almost guarantee that you online banking sessions will be secure - so long as you go directly to the bank site and don't click on a dangerous links in delivered via email, etc. It's also a no-cost option which is great for SMBs.

Mr. Krebs took the time to respond to some of the publicity surrounding his article with a follow up earlier today. He responds to some reader suggestions like using limited user accounts, and dedicated computers for online banking. These practices are well-recommended but don't necessarily work against the most popular banking trojans today - Zeus and Clampi.

As noted by Krebs, "a number of today's more advanced threats - including the Zeus Trojan, a sophisticated family of malware most commonly associated with these attacks against small businesses -- will just as happily run on a limited user account as an administrator account in Windows." He also noted that Clampi can easily propogate over a Windows network.

What I found most interesting was the discussion about the Genlabs breach which netted criminals $437,000 dollars. This was done using the Zeus (Zbot) family of malware and the forensic report done after the fact highlighted a major problem with Windows based anti-virus scanning.

"Using a Windows-based scanning tool, the drive showed no infections. However, several directory trees and files could not be accessed indicating that the tools were not able to complete a 100% analysis.
...
We built a Linux-based system to repeat selected scans and analysis on the theory that Linux would bypass possible Windows-based protocols to protect and/or hide files."

The compromised system contained two variants of the Zeus trojan, the trojan that just cost them $473,000 dollars!!!

However, this got me thinking about something I hadn't ever done before. Why not boot into Ubuntu (which I currently dual-boot, any other OS besides Windows would work) and run scans from there?


Testing this was incredibly easy. First, I went to the Avast! website and downloaded the newest .deb package from the Linux download page. After installing it was as simple as picking out my Windows partitions, which are easily accessible in Ubuntu, and running scans on them.

Luckily, nothing was infected. This type of scan could also easily be run from a Live CD to check for any type of bot, virus or infection.

For those of you that have read this far, apologies for the long winded article. I had wanted to comment on the use of a live CD last week and ever got a chance until now. This cheap and quick alternative could certainly save a number of small and medium size companies from huge losses at the hands of criminals.
Read rest of entry

Obama Stresses Cybersecurity Awareness

"The lesson is clear, this cyberthreat is one of the most serious economic and national security challenges we face as a nation" (Obama).

This is the message that Obama recently declared in a short video on the White House website. He makes it very clear, in the midst of cybersecurity awareness month, that all Americans need to be aware and secure in their online activities.

"As consumers we use the internet to pay our bills, to shop, to file our taxes, but millions of Americans have been victimized; their privacy violated, their money and identity stolen, their lives turned upside down" (Obama).

It's great that the President is getting involved and placing some awareness from the top down on "cybersecurity". He stresses that everyone needs to do their part; from individuals to corporations. Obama, and the White House provide the following recommendations:
  • Keep security software up to date
  • Beware of suspicious emails
  • Always know who you're dealing with
  • Never give out your personal or financial information unless you've verified the recipient is legitimate
In addition, White House Assistant John Brennan stresses to "learn what to do if something goes wrong".

Check out the YouTube Video:



The White House cybersecurity awareness blogs:
National Cybersecurity Awareness Month
National Cybersecurity Awareness Month II
National Cybersecurity Awareness Month III
Read rest of entry

New Zeus Scam Emails and Download Domains

There are some new Zeus emails going around that folks should be aware of. These emails, as reported by the Securosis blog, pretend to be from a system administrator. The administrator asks them to "run SSl updates procedure" as below.
Read rest of entry

New Twist on IRS Spam

There is a new twist on the IRS emails that have been delivering zbot and other threats over the last month. In some new emails, reports Gary Warner, the link contained in the message is to Geocities.

An example from the CyberCrime & Doing Time blog:
hxxp://geocities.com/FreddyCampbell36/ohuloc.htm

While the users will ultimately end up at the commonly used http://www.irs.gov.blah.blah.co.uk/fraud_application/directory/statement.php?etc... type url, the attackers are now using Geocities as an intermediary.

This makes it increasingly difficult for spam and av scanners to detect the malicious URL and block the email from reaching unsuspecting users. Warner reported that a VirusTotal scan showed very low detection rate - another repackaged zbot to bypass detection.

For more information, including a list of dangerous URLs visit the CyberCrime & Doing Time blog!

http://garwarner.blogspot.com/2009/10/irs-zeus-via-geocities.html
Read rest of entry

Green Cloud Security Firefox Add-On Collection

Firefox recently added the ability to group collections of add-ons for easy sharing. The ISC recently published their recommended add-ons and we've followed in suit. There was a couple additional add-ons, namely FlagFox and KeyScrambler, that are also useful security add-ons.

Green Cloud Security Add-Ons:
https://addons.mozilla.org/en-US/firefox/collection/greencloudsecurity
Read rest of entry

Spike in Blackhat SEO: Websense Monthly Report

Websense published their monthly report, "This Month in the Threat Webscape". September saw a number of new attacks and an increase in some old ones.

One of the most well known and documented problems this month was blackhat SEO poisoning with malicious results leading to rogue AV and other types of malware.
Read rest of entry

Comcast Monitoring Users for Malware and Botnet Activity

Comcast is beginning the launch of a new service to notify users when of compromised computers and botted machines. The service, called Comcast Constant Guard, has started an initial roll out in the Denver area.
Read rest of entry

Web Threats Booming: APWG First Half Report

The Anti-Phishing Working Group (APWG) released their first half "Phishing Activity Trends Report" with some startling statistics. For those that have not heard of the APWG, the organization devoted to the elimination of phishing and identity theft scams.

The report gives statistics on many trends inlcuding phishing trends, rogue AV, keyloggers and others and fully reinforces the fact that the number of threats on the internet continues to grow.

Some of the staggering statistics:
Read rest of entry

Evolution....New Multi-Function Trojan

Webroot has discovered a new trojan that performs a variety of malicious tasks. One of the primary functions is to crack captchas so that forms of all types can be submitted by the attacker. The trojan will download a specific set of instructions from the internet including which sites to attack, and then operate in the background - attempting to connect to targeted sites.

That is not the only concern. The trojan is also capable of stealing passwords and stealing all the information from online shopping forms. It also includes an adcliker function which will click through certain ads which match its instruction set. Furthermore, it deeply plants itself into the Windows OS, so that system restore and reboots do not interfere with its function.

Webroot has classified this a password stealer, Trojan-PWS-Lanci.

More information on the Webroot Blog:
http://blog.webroot.com/2009/10/02/trojan-decodes-captchas-using-stolen-commercial-tools/
Read rest of entry

Protect Against Keylogging Trojans with KeyScrambler

There has been a lot of news lately surrounding key logging trojans including Zbot, Clampi and others. These trojans are designed to steal authentication credentials and other sensitive information, especially for banking and social networking sites leaving users scrambling for ways to protect themselves.

The highlights of these news articles has been how easily these trojans can evade detection even by the most current anti-virus detection programs and the large sums of money that have been stolen using them. A recent ComputerWorld article reports up to $350,000 US dollars stolen from the Crystal Lake School district.

Beyond typical web filtering and anti-virus programs, browser add-ons are also very useful. Web of Trust and NoScript are well known to help prevent web based attacks. Another is called KeyScrambler.

KeyScrambler (free edition) works with popular browsers - Firefox, IE and Flock - as well as some other software to protect you from keyloggers. The paid editions offer additional protection. After install, Keylogger will run silently in your system tray or with notifications letting you know when it is protecting your keystrokes. Even if anti-virus protection is lax and did not catch the trojan or virus being installed, you will still be protected by KeyScrambler.

"There are hundreds of keylogging programs and new ones are appearing all the time.  Most anti-spyware and anti-virus programs may not be able to detect new viruses and worms because they have to be updated to recognize them, which means that they often work after the fact - they detect and remove the malware only after it is already in your computer - and may not be able to stop theft in time.  KeyScrambler protects all the time.  It defeats existing and new keyloggers by making your keystrokes indecipherable to spyware." (Keyscrambler)

This is another great way to protect yourself from the bad guys. With the newest outbreak of keylogging trojans this should be considered a must have!

Download: http://www.qfxsoftware.com/Download.htm
Read rest of entry

Zbot Trojan: World's Most Dangerous Malware

The Zbot Trojan, aka Zeus or WSNPoem, is the world's largest and most dangerous malware. A recent whitepaper by Trusteer, who specializes in securing online transactions, proven the Zbot trojan has an incredibly low detection rate amongst anti-virus scanners.

Trusteer reports that 3.6 million PCs are infected in the US alone, and even up to date anti-virus scanners cannot stop it. "Installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23% compared to running without an anti-virus altogether" (Trusteer).

In other words, opening or downloading the trojan results in infection more than 75% of the time.

The newest delivery method of the trojan is emails claiming to be from the IRS and a typical subject of "Notice of Unreported Income". These emails are in wide circulation over the last three weeks and are showing no signs of slowing down according to a report recently published by Network World.


What is Zbot?
The Zbot trojan is designed to steal login credentials, usually for financial accounts. The admin panel and exe builder can be easily purchased and is widely distruibuted on criminal networks for only a few thousand dollars. Old and obsolete versions of the builder are even freely available on P2P file sharing networks and torrent sites. This admin panel makes it possible for the cybercriminals to generate their own version of the virus to get around anti-virus scanners. 

Zbot is typically used to steal account information. The main area of focus for the criminals is banking websites. Once the credentials for these sites have been stolen they can then be used to siphon money from the account and into their own network of accounts. Because Zbot is a keylogger and due to design it can be used for any type of website the hacker wishes to gain access to including social networking sites, ftp accounts and can even be used to bypass two-factor authentication.

Zbot is commonly spread through email or malicious websites using drive-by downloads. The emails claim to be from a reputable source containing an attachment that the unsuspecting user will open. The most prevalent scheme for these emails has been shipping carrier (UPS, Fedex, etc.) delivery notifications which report a problem with package delivery and get the user to open the attachment. Other schemes include bank notifications, Microsoft Outlook update notifications, Western Union fakes and others. 


How Does Zbot Work?
The Zbot Trojan is essentially a framework for the exploit. Without the configuration file the program does nothing. This encrypted configuration file is the command and control structure of the bot including what sites to attack and where to send stolen credentials and information.

"The logics contained in the configuration contains the list of banking institutions that the bot targets, URLs of the additional components that the bots relies on to download commands and updates, the lists of questions and the list of the fields that the bot injects into Internet banking websites to steal personal details/credentials, etc." (ThreatExpert)

The configuration file can be downloaded from a site of the attackers choosing, and also contains the location for the next configuration update. Infected machines can be grouped into botnets by the attacker and updated from the same locations.

Once running on a system the trojan can perform a variety of operations. The majority of the time this is simply a keylogger which is activated when the user accesses a targeted site. Zeus can also replace the web form on a search page to ask for additional information such as card numbers, pin numbers, social security numbers and the answers to security questions. Real-time screenshots can also be taken from infected machines.

More detailed technical information is available on the ThreatExpert blog and the Zeus tracker pages at the bottom of this post.

Detecting Infection
To determine if a machine is infected users can look for specific registry keys and file locations added by Zbot. Here is a list of file locations from abuse.ch:



Preventing Infection
The best way to prevent infection is to simply be cautious of opening dangerous file attachments in email, and by enabling browser protection to limit scripts and file downloads. Web filtering can be a powerful technique in limiting the effectiveness of Zeus by preventing access to distribution and call-home points. The tracker on abuse.ch is a great resource for finding command and control centers which can then be blocked with web filtering or firewall.

Conclusion
Zbot usage and distribution is showing no signs of slowing down and criminals associated are making millions. The trojan has proven effectiveness and has been in circulation over three years - it will continue to be a threat for more to come.

Resources
Abuse.ch Zeus Tracker
ThreatExpert: Time to Revisit Zeus Almighty
Trusteer: Measuring the in-the-wild effectiveness of antivirus against Zeus
Network World: IRS Scam Now World's Biggest Email Virus Problem
Dancho Danchev: Crimeware in the Middle - Zeus
Zero Day: Modern banker malware undermines two-factor authentication
Read rest of entry

Newly Listed IRS Scam and Zbot Domains

A new list of IRS Scam and Zbot domains was recently posted on malwareurl.com. These are interesting as the domain names are altered only slightly and end in .eu. There are a total of 28 domains and 20 unique IP addresses.

yoky1w.eu 79.117.171.75
mi11f1.eu 187.64.34.106
mi11fa.eu 187.64.34.106
mi11fd.eu 79.184.58.166
mi11fe.eu 187.64.34.106
mi11ff.eu 85.106.95.114
mi11fi.eu 194.54.48.50
mi11fp.eu 79.184.58.166
mi11fq.eu 79.186.68.243
mi11fr.eu 190.46.93.230
mi11fs.eu 188.124.232.92
mi11ft.eu 187.64.34.106
mi11fw.eu 190.46.93.230
mi11fy.eu 194.54.48.50
yoky1a.eu 79.109.163.252
yoky1c.eu 77.41.105.36
yoky1d.eu 89.74.19.174
yoky1e.eu 85.136.132.50
yoky1f.eu 77.255.108.52
yoky1g.eu 95.208.30.24
yoky1n.eu 85.137.227.84
yoky1r.eu 74.3.203.93
yoky1t.eu 74.3.203.93
yoky1v.eu 95.208.30.24
yoky1x.eu 85.136.132.50
yoky1y.eu 74.3.203.93
yoky1z.eu 74.3.203.93
xyg1qe.eu 59.93.83.148

Stay tuned for more info on the zbot trojan coming soon. This financial malware is one of the biggest threats with the worst detection rates out there...very dangerous!
Read rest of entry

Introductory Post

As internet threats continue to evolve it's becoming clear that web threats and blended threats are becoming the most predominant danger to network security. Green Cloud Security and this blog are dedicated to the proliferation of information about web security issues - increasing awareness for both network administrators and regular internet users.

The creation of this blog comes on the heels of the Websense Security Labs "State of Internet Security" for the first half of 2009. There are many fascinating statistics that are presented in this report.

Some Highlights Directly from the Report:

• Websense Security Labs identified a 233 percent growth in the number of malicious Web sites in the last six monthsand a 671 percent growth during the last year.
• 77 percent of Web sites with malicious code are legitimate sites that have been compromised. This remains
unchanged from the last six-month period.
• 87.7 percent of email messages were spam. This represents a three percent increase over the last six months.
• 85.6 percent of all unwanted emails in circulation during this period contained links to spam sites and/or malicious Web sites.
• 95 percent of user generated comments to blogs, chat rooms and message boards are spam or contain
malicious links.
• Researchers from Harvard and Cambridge estimate that 75.8 percent of phishing sites are hosted on
compromised servers.

The full report can be downloaded from the WebSense Newsroom. There is also a video version of the report available.

One of the key concepts to be taken from this report is the importance of web filtering as it pertains to malware and other internet threats. Using web based blocking can significantly decrease the "window of vulnerability" of a particular threat. While anti-virus vendors scramble to create and release definitions (averaging 22 hours according to this report), web security vendors can block a virus download in a matter of minutes if done properly. While anti-virus programs will likely always have their place, web security is quickly becoming the most important factor in internet threat prevention.

Blended threats, which are usually in the form of an email containing a link to a web page with harmful code or files are also showing no signs of slowing either. Real-time web filtering can prevent access to the link, and infection. If almost 88% of all email is spam, and 85% of that mail contains links to malicious and spam sites, then 75% of all email contains links to malicious and spam sites - a serious problem.

This site is dedicated to keeping up to date information on any web threats, blended threats, botnets. Please bear in mind that this is still very much in the building stages. Please follow via RSS or Twitter, and thanks much for reading.
Read rest of entry

Resources

Below is a list of resources that can be used to analyze web based threats, viruses and malware. I will update this list continually.


Web Analysis Services
Virus Total - http://www.virustotal.com/
Wepawet  - http://wepawet.iseclab.org/
Virus.org - http://scanner.virus.org/
JSUnpack - http://jsunpack.jeek.org/dec/api
Web Sniffer - http://web-sniffer.net/



Applications and Plugins
Malzilla - http://sourceforge.net/projects/malzilla/
Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
McAfee File Insight - http://www.trustedsource.org/blog/294/New-Version-of-McAfee-FileInsight
TrendMicro Web Protection Add-On - http://free.antivirus.com/web-protection-add-on/
Sophos Anti-Rootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Avast - http://www.avast.com
Firebug - http://getfirebug.com/
NoScript - http://noscript.net/
McAfee Site Advisor - http://www.siteadvisor.com/
Web of Trust - http://www.mywot.com/
KeyScrambler - http://www.qfxsoftware.com/Download.htm


URL Databases
Malware URL - http://www.malwareurl.com/
Malware Domain List - http://www.malwaredomainlist.com/
HP Hosts - http://hosts-file.net/
Phishtank- http://www.phishtank.com
Read rest of entry
 

Green Cloud Security

Web security and converged threats are among the biggest issues in network security. Green Cloud Security provides the latest information on these threats.

Follow us on Twitter and RSS!

twitter / greencloudsec



Term of Use

My Blog List

SANS ISC SecNewsFeed

Security Bloggers Network