Software Pirate Cracks Cybercriminal Wares

Make enough friends in the Internet security community and it becomes clear that many of the folks involved in defending computers and networks against malicious hackers got started in security by engaging in online illegal activity of one sort or another. These gradual mindset shifts are sometimes motivated by ethical, karmic or personal safety reasons, but just as often grey- and black hat hackers gravitate toward the defensive side simply because it is more intellectually challenging.

I first encountered 20-year-old French hacker Steven K. a few months ago while working on a series about the fake antivirus industry. I spent several hours reading accounts of his efforts to frustrate and highlight cybercriminal activity, and took time to follow the many links on his blog, XyliBox, a variant of his hacker alias, “Xylitol.” It turns out that Xylitol, currently unemployed and living with his parents, is something of a major player in the software piracy or “warez” scene, which seeks to crack the copy protection technology built into many computer games and commercial software programs.

As a founding member of redcrew.astalavista.ms (this site may be flagged by some antivirus software as malicious), Xylitol spent several years devising and releasing “cracks,” software patches that allow people to use popular commercial software titles without paying for a license. Cracks are frequently bundled with backdoors, Trojans and other nasties, but Xylitol claims his group never tainted its releases; he says this malicious activity is most often carried out by those who re-purpose and redistribute the pristine patches for their own (commercial and criminal) uses.



But about a year ago, Xylitol began shifting his focus to reverse engineering malware creation kits being marketed and sold on underground cybercrime forums. In October 2010, he began releasing cracked copies of the the bot builder for the SpyEye Trojan, a crimeware kit that sells for several thousand dollars. Each time the SpyEye author released an update, Xylitol would crack it and re-release a free version. This continued for at least a dozen updates in the past year.

The cracked SpyEye releases have been met with a mix of praise and scorn from the security industry; the free releases no doubt frustrated the moneymaking capabilities of the SpyEye author, but they also led to the public distribution of a malware kit that had previously been much harder to come by.
In an instant message chat, Xylitol said he still cracks the occasional commercial software title, just for old time’s sake.

“Sometimes for the old memories, but I’m more into malware cracking now,” he wrote. “It’s more fun.”

Since Nov. 2010, Xylitol and some of his associates have been locked in a daily battle with Russian scareware and ransomeware gangs. Scareware programs hijack PCs with incessant and misleading security warnings in a bid to frighten users into paying for the worthless software. Paying customers are given a license key eliminates the annoying security warnings. Ransomware is even more devious: It encrypts the victim’s personal files — pictures, documents, movies and music files — with a custom encryption key. Victims who want their files back usually have little recourse but to pay a fee via text message to receive a code that unlocks the encrypted files.

Xylitol and his pals have been busy over the past year cracking and publishing the license keys needed to free computers snared by scareware and ransomware. For months, these guys have been taking on a Russian ransomeware group called the WinAd gang, releasing the ransomware codes on a daily basis, often just hours after the WinAd gang began pushing out new ransomware variants.

In a chat conversation with KrebsOnSecurity.com, Xylitol said he’s lost track of the number of ransomware cracks he’s released, noting that at one point the WinAd gang switched to shipping a half-dozen updates daily in a bid to stay one step ahead.

“I lost count of how many of these I’ve cracked,” Xylitol said. “For a period that was daily and five or six per day, due to automatic ransomware update.”
Sometime around Sept. 14, 2011, the WinAd gang apparently decided it was losing the war, and called it quits. In closing a year-long discussion thread on the WinAd gang, Kernelmode.info moderator EP_XOFF wrote:

“Since September 11, their activity has decreased significantly. September 14 had died last known domain and redirector. However this may mean nothing. We continue to search.”

Another Kernelmode member, Nickvth2009, replied, “Let’s hope it will never come back.”

Read More...

Apple blocks malware-as-PDF threat but new attack emerges

Summary: Even as Apple adds detection to block a Mac OS X malware threat, researchers find new Mac malware posing as a legitimate Flash Player installation package.

Apple has quietly added detection for the recent malware attack that used PDF files as lures to trick Mac OS X users into downloading a malicious Trojan dropper. 

The detection was added into the rudimentary XProtect.plist malware blocker built into Mac OS X.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

However, in what has become a classic cat-and-mouse game, researchers have spotted a new Mac malware threat posing as a legitimate Flash Player installation package.

[ Researchers find Mac OS X malware posing as PDF file ]

Intego explains the characteristics of the new threat:

Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be “safe” files and will launch them after download, if default settings are used.)

If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software, Intego said.

After installation, [it] will delete the installation package itself. The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.

The company said it has spotted this new malware in the wild but notes that it is not widely distributed.

Read More...

USA Today's Twitter account falls foul of hackers

USA Today is the latest high profile Twitter account to have fallen victim to a group of hackers.

A group calling themselves the Script Kiddies have claimed responsibility for the hack, which involved posting a series of messages to the official USA Today Twitter account, including:

"Fox News, Wal-mart, Unilevel, Pfizer, NBC and now USA Today. who's next? Vote now! [LINK]"

and

"Please like The Script Kiddies on Facebook! You could choose our next target!"

Fortunately, USA Today was able to regain control of the account (with some assistance from Twitter) before any serious harm could be caused. The newspaper tweeted an apology to its followers:



The Script Kiddies group has previously claimed responsibility for hacking into the NBC News Twitter account to post fake news reports of a terrorist attack involving planes in New York, defacing Pfizer's Facebook page and breaking into the Fox News Politics Twitter account to post a bogus announcement about the death of Barack Obama.

It's unclear how the USA Today Twitter account was compromised, but there was speculation that the hack by the same group against NBC News's Twitter account was assisted by a spyware Trojan horse.

The Script Kiddies might believe that their hacks against media organisations are just childish pranks, but it's unlikely that the authorities find them amusing. The more social media accounts that they target, the more the computer crime police will be keen to bring them to justice.

As always, we recommend that social networking users ensure that they keep their security software up-to-date, choose hard-to-crack passwords and do not use the same password in more than one place.

nb : nakedsecurity.sophos

Read More...

Researchers find Mac OS X malware posing as PDF file

Summary: The malware installs a backdoor that contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system.

Researchers at F-Secure have discovered a Mac OS X malware file masquerading as a PDF file to lure users into installing a backdoor trojan.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

According to F-Secure, the PDF file contains Chinese-language text related to political issues, which some users may find offensive.

The use of a PDF file as a social engineering gimmick is widely used by malicious hackers on the Windows platform and F-Secure’s research team believes this is an attempt to copy the trick of opening a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon.

 

“”The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires,” the company said.

Once installed, the trojan dropper installs a backdoor program that gives a hacker full control of the infected Mac OS X machine.

The backdoor typically contacts a remote server for instructions and can be used to steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.

F-Secure reports that the command-and-control of the malware is just a bare Apache installation that is not yet capable of communicating with the backdoor.

nb : zdnet

Read More...

Spamvertised 'We are going to sue you' emails lead to malware

Summary: Security researchers from WebSense have intercepted a currently active and circulating malicious spam campaign.

Security researchers from WebSense have intercepted a currently active and circulating malicious spam campaign.

The spamvertised emails contain subjects and messages attempting to socially engineer users into thinking that spam is coming from their mailboxes, and that they face legal action:

In this campaign, emails are spoofed to appear as though they are sent from established companies. The emails even formally claims that legal action will be taken because of the spam you have sent. These emails with the fake warning even attach a ZIP file that contains a scanned copy of a document that is supposed evidence of your spam.

-Spamvertised subjects include:

• We will be impelled to sue you
• We are going to sue you
• We are suing you
• You are sending add messages
• A message from our security service

- Spamvertised body of the message:

Hello. Your email is sending spam messages. If you don’t stop sending spam, we will be impelled to sue you! We’ve attached a scanned copy of the document assembled by our security service to this letter. Please care carefully read through the document and stop sending spam messages. This is the final warning.

-Detection rate for the spamvertised malware.

Users are advised not to interact with suspicious emails, or spam emails in general.

nb : zdnet Read More...

Malicious spam campaigns proliferating

Summary: In a recent blog post, researchers from Commtouch have summarized their observation status, and pointed out that someone is actively building crimeware-friendly botnets.

With spam continuing to represent the distribution vector of choice for the majority of cybercriminals, it shouldn’t be surprising that the volume of malicious spam campaigns is proliferating.

In a recent blog post, researchers from Commtouch have summarized their observation status on the malicious spam campaigns from last month, namely, UPS/FedEx, Map of love and Hotel charge error and pointed out that someone is actively building crimeware-friendly botnets:

“Pre-outbreak levels varied between a few hundred million emails to around 2 billion per day.  The peak outbreak included distribution of nearly 25 billion emails with attached malware in one day.”

Malware campaigns have cyclical pattern of distribution, namely, cybercriminals constantly rotate and introduce new topics, once the lifecycle of the previous campaign have reached the maturity stage. Meanwhile, users continue interacting with spam emails, clicking on links, downloading attachments and unsubscribing themselves, prompting the success of spam in general.

Now, that the cybercriminals have set up the foundations for their botnet aggregation practices by spamvertising billions of emails, it’s worth keeping an eye on the actual response rate of the command and control servers used in the campaigns in order to roughly estimate the damage caused by the campaigns.

nb : zdnet

Read More...