STE WILLIAMS

Ukrainian cops have shut down a long-running malware exchange website frequented by old-school virus writers.

A message on the front page of the VX Heavens website announces that the site has been forced to shut up shop after the plods seized its servers last Friday as part of a criminal investigation. According to the shuttered site:

For many years we were tried hard to establish a reliable work of the site, which supplied you with a professional quality information on systems security and computer virology. We do always believed that a true research in any field (computer virology included) is only possible in the atmosphere of trust, openness and mutual assistance.

Unfortunately…

Friday, 23 March, the server has being seized by the police forces due to the criminal investigation (article 361-1 Criminal Code of Ukraine – the creation of the malicious programs with an intent to sell or spread them) based on someone’s tip-off on “placement into the free access malicious software designed for the unauthorised breaking into computers, automated systems, computer networks”.

The absurdity of such statement we need to prove in the court…

We are sorry, but until the case is still open we are unable to offer our services in any form.

VX Heavens, which bills itself as a vault of information, provided virus-writing tutorials as well as malicious code samples and other resources. The site had been running for many years prior to last week’s takedown operation.

The site was part of the old-school virus development scene and something of a throwback to days of old before profit-making Trojans dominated the malware landscape, according to anti-virus firms.

“The folks using the VX Heavens website were probably not in the same league as the financially-motivated organised criminals computer users are often troubled by today, and mirror rather more the hobbyist malware authors of yesteryear,” explained Graham Cluley in a post on the Sophos Naked Security blog.

“Nevertheless, it’s clear that the Ukrainian authorities didn’t like what they saw and have confiscated the website’s servers in their hunt for evidence of criminality. Let no one be under any illusions: malware creation and distribution of viral code has become a big concern for the-powers-that-be. It’s not a game anymore – if you play in this area, don’t be surprised if the authorities take a dim view,” Cluley added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/vxer_hub_takedown/

Security researchers have warned that the resurrected Kelihos botnet blasted off the face of the web yesterday is still alive.

Experts not involved in the blasting say the miscreants behind the network of compromised Windows computers are working on their comeback. The zombie PC army was walloped offline in September, they say, yet later resurfaced.

Seculert reports that Kelihos-B, which was distributed as a Facebook worm over recent weeks, is still active and spreading – even after the shutdown attempt by CrowdStrike and Kaspersky Labs this week.

Seculert views this botnet as the undead remnants of Kelihos-B rather than the spawn of a new variant of the malware.

The findings suggest that sink-holing 109,000 backdoored machines infected with the spam-spewing and credential-stealing Kelihos Trojan may not have disabled the entire bot network.

“Very little time passed yesterday [Wednesday] between action being taken against the second Kelihos botnet and the appearance of a new variant said to be spreading via Facebook,” commented David Harley, senior research fellow at antivirus biz ESET.

“For the time being, the teams involved in the partial disabling of the Kelihos botnet, have implemented another pretty good temporary fix.

“Sink-holing has twice reduced the effectiveness of Kelihos botnets by effectively disabling and diverting communications from infected machines to a system that is now under the control of the ‘good guys’. However, there’s a significant risk that machines that are still infected are also likely to fall prey to a new Kelihos botnet, apart from the risks to currently uninfected machines.”

Harley added that the gang are in possession of the Kelihos source code, and can therefore tweak the malware to evade future attempts to neutralise it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/kelhios_bot_not_dead_yet/

Channel 4 News has been bothering contact-less bank cards again, and managed to wirelessly extract the customer’s name from ANY Visa-branded card within a few centimetres.

Previously the programme had only demonstrated the technique on Visa cards issued by Barclays, and not all of those.

However ViaForensics (the company hired by Channel 4 News to do the leg work) has today demonstrated that it can lift the customer’s name from any Visa-branded card.

That’s important because without the name even Amazon won’t process payments. Retailers generally check the CVV code (the three-digit number on the back), which isn’t stored on the card chip so it can’t be lifted, and reputable shops should check the cardholder’s address too. However Amazon was caught skipping both those checks when the telly newshounds probed earlier this week.

Barclays told the programme that sharing the name was in an early, but still valid, version of the proximity-payment standard. Barclays was an early adopter of pay-by-bonk tech, and claims that sharing the name isn’t a significant security risk anyway: “If a retailer is processing payments without CVV codes, the name isn’t probably going to make a lot of difference,” the bank claimed.

Channel 4 News will cover the story this evening, at 7PM BST but the details are already on its site. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/visa_cards/

Assumptions about cyber-criminals are all wrong, according to a study that argues many fraudsters are middle aged and possess only rudimentary IT skills – contrary to the elite bedroom teen hackers portrayed in movies.

The research, led by criminologist Dr Michael McGuire of The John Grieve Centre for Policing and Security at London Metropolitan University, blames 80 per cent of cybercrime on your common-or-garden gangsters. Contrary to Hollywood film scripts, cybercrime is far from the preserve of tech-savvy youths – nearly half (43 per cent) of cyber-crooks are over 35 years old, and less than a third (29 per cent) are under 25.

More cyber-crooks (11 per cent) are over 50 than youngsters aged between 14 and 18, who make up only eight per cent of e-crims, according to the doctor and his team.

The study, sponsored by BAE Detica, is billed as the first comprehensive analysis of the nature of criminal organisations involved in e-crime. The document could help cops tackle banking fraud and other scams more effectively by challenging existing assumptions about the cyber-crook demographic.

The availability of crimeware, which can be easily distributed or purchased, means getting ready-made viruses that exploit the vulnerabilities of individual systems to running botnets of hijacked computers can be accomplished without any particular technical skills. Cyber-crooks are now just as likely to be street gangs, drug traffickers or established crime families as those traditionally associated with digital crime such as ID fraudsters or hacking syndicates.

The “deskilling” of cybercrime has allowed many traditional offline scams to be applied online. For example, money laundering has been extended to the creation of money mule networks to siphon funds from compromised web accounts, and the control of drugs markets has been applied in selling unlicensed medicines.

How many are in your gang?

Half the groups involved in cybercrime are made up of six individuals or more, with one quarter comprising 11 or more. However there’s little or no correlation between group size and the impact or scope of offending.

A small group of cyber-crooks can inflict huge financial harm against targeted institutions. And many cybercrime crews have been operating for months rather than years. A quarter (25 per cent) of active groups have operated for less than six months, the Organised Crime in the Digital Age study concludes.

The report reveals that certain clusters of criminal activity exhibit more organisation or structure than others on a spectrum that extends from decentralised swarms through to highly organised hierarchies. In some cases classic crime families that have begun to move their offline activities into cyberspace – rubbing shoulders with extremist groups recruiting members online, and protesters coordinating riots using web tools.

Professor John Grieve, founder of policing centre, commented:

To tackle the problem of digital crime and intervene successfully, we need to move away from traditional models and embrace this new information about how organised criminals operate in a digital context.

The research found evidence of many cases where there has been real success in closing down digital criminal operations. Growth in the digital economy will inevitably cause an increase in organised digital crime, however this need not be seen as an insurmountable problem. Rather, it is a predictable problem that – by better understanding the perpetrators and their working methods – we can meet head on.

The team of researchers who carried out the study combined seeking out information by hand with advanced search tools – such as Detica’s NetReveal Analyzer, a bit of gear designed to turn large amounts of structured and unstructured data into intelligence. Stage one of the research involved a review of evidence made up of over 7,000 documentary sources, including public and private documentation to analyse the technologies, activities, group characteristics and miscreants involved in cybercrime.

Then the team performed a demographic analysis of initial organisational patterns found in these sources, and compared the results with evidence from interviews with expert practitioners. Finally, a network analysis of the organisational patterns and activities that emerged at the earlier stages of the research process was carried out to arrive at the study’s final conclusions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/cybercrime_myths_exploded/

The director of the US National Security Agency has named China as the country behind last year’s high profile hack against RSA that resulted in the extraction of data related to SecurID tokens.

The information extracted in the March 2011 hack was later used in an unsuccessful attack against Lockheed Martin. Other US defence contractors, including L-3 Communications, were also rumoured to have been targeted but this remains unconfirmed.

RSA offered replacement tokens in the wake of the attack, which relied on a combination of spear phishing and malware that exploited a zero-day Adobe Flash exploit. Art Coviello, RSA’s executive chairman, went as far as blaming the attack on two organisations for the same country last October without naming the prime suspects in the high-profile assault.

However National Security Agency director General Keith Alexander went further on Tuesday during testimony before Senate Armed Services Committee and named China as the prime suspect behind the RSA hack. He went on to say China is stealing a “great deal” of military-related intellectual property from the US, Information Week reports.

China has long been the prime suspect in the RSA hack but has never been named as such until this week. General Alexander’s statement is another clear sign that US authorities are going beyond diplomatic channels in an attempt to shame China into cutting back on its widely reported cyber-espionage program.

China, for its part, routinely claims that it is more spied against than spying. Beijing can be expected to take a similar line over the latest accusations. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/29/nsa_blames_china_rsa_hack/

Updated A self-describer “law-abiding citizen” has posted attack plans against the Sality botnet on the Full Disclosure security mailing list, along with a tongue-in-cheek warning not to enact them since that would be illegal.

“It has come to my attention that it is not only possible but easy to seize control of version three of the botnet, and, more importantly, take it down. Sadly, doing so would require breaking the law. For this reason, I have to request that nobody perform the steps I am about describe,” the author says, with more than a hint of irony.

The details of the plan are in an online archive and contain SQL injection tools that can be used to add a copy of an encrypted version of the AVG Sality removal utility into the botnet. It also has a Python script that, the author claims, will get an updated list of targets from the botnet’s P2P network. The author also suggests the paranoid should open the file via a locked down virtual system to avoid any possibility that this is a hoax designed to infect security researchers.

The posted plans are for attacking version three of the Sality code, but security companies report the botnet controllers have already started to upgrade to a new version, so even if the attack works, the effect would be muted. The current version installs a keylogger, VoIP cracking tools, spam relays, and some experimental malware combinations

The Sality botnet is one of the bigger botnets, thought to be about the same size as Rostock, and was first spotted in June 2003, according to a recent a white paper from Symantec. It was apparently named after the Russian town of “Salavat City”, although the command and control servers are thought to be in the US, UK, and the Netherlands.

There are removal tools out there for it, but some people aren’t using them. In terms of its hosts, Symantec reports over a fifth of the infected PCs that form the botnet are in Romania, with Brazil and India the next most common. ®

Update

An examination of the exploit package posted on Full Disclosure suggests it could work at taking down the Sality botnet, but could also be used to take it over and use it for other purposes.

“From what I’ve read, the attack looks valid, and if performed it’s likely that they would work – but whether it would be an efficient takedown or just give the operators a blip in the system I’m not sure,” Liam O Murchu, manager of operations for Symantec’s Security Response team, told The Register.

The attack seeks to inject a virus cleaning system into the botnet, essentially ordering it to wipe itself, but this isn’t necessarily the payload that could be used he warned. If someone scripted their own attack code then it would be possible to take over those machines in the botnet and use then for any purpose. Stealing machines in this way is an increasingly common tactic in the malware industry he said.

While there’s no way of knowing how many of the machines in the Sality botnet are still using the vulnerable version three of the malware, he cautioned about users taking the law into their own hands and attacking the botnet. The potential knock on effects to infected systems and networks could be large and this kind behavior has often caused more trouble than it solved in the past.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/sality_botnet_take_down_plans/

An alleged US Army deserter has been charged with stealing the identity of Microsoft co-founder Paul Allen to run a bank fraud scam.

Brandon Price, of Pittsburgh, Pennsylvania, allegedly conned Citibank call centre workers into changing Allen’s address to that of Price’s modest home – as well as changing the phone number associated with his card – on 9 January. Days later he allegedly persuaded Citibank to send a replacement debit card in Allen’s name to the bogus address.

“An individual identifying himself as Paul Allen called the customer service department of Citibank. The caller stated that he had misplaced his debit card at his residence, but did not want to report it stolen. The individual then successfully ordered a new debit card on the account of Paul Allen and had it sent via UPS,” FBI agent Joseph J Ondercin explained in a criminal complaint (PDF).

The complaint fails to explain what personal information was used to successfully impersonate Allen. As a high-profile public figure, a great deal of personal information about Allen is in the public domain and his address and even social security number might not be hard to determine.

Citibank is defending its handling of the matter, pointing out the bank’s anti-fraud systems quickly spotted something was amiss and blocked further fraud. “Through our own security procedures, Citibank identified the actions of a fraudulent account take over and turned the matter over to law enforcement. We will continue to work with law enforcement in the ongoing investigation.” Catherine Pulley, a CitiBank spokeswoman, told Wired.

Prosecutors allege Price used the debit card the same day UPS delivered it on 13 January to pay $658 payment into his Armed Forces Bank loan account before unsuccessfully attempting to use it to pay for the wire transfer of via Western Union and attempted purchases from Gamestop and Family Value stores in Pittsburgh. All three of the latter transactions were blocked.

Price, who has been absent without leave from the US Army since June 2010, faces wire fraud and bank fraud charges over the alleged scam. He’s been held in federal custody pending a trial, the date for which is yet to be set. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/microsoft_co_founder_id_theft_scam/

A resurrected incarnation of the infamous Kelihos botnet has been taken out.

The takedown operation – mounted by Kaspersky Lab’s experts, along with the CrowdStrike Intelligence Team, Dell SecureWorks and members of the Honeynet Project – follows six months after the original spam-spewing and credential-stealing botnet was dismantled in September 2011.

The original takedown seemed to have only re-energised the cybercrooks involved in the creation of the original zombie network, who then used adapted strains of the original malware to create a botnet THREE times the size of the original monster, boasting a zombie army of 109,000 infected hosts.

By comparison the original Kelihos botnet, decapitated thanks to a collaboration between security experts at Kaspersky Lab and Microsoft, was estimated at having only 40,000 infected hosts.

Despite the commendable success of the latest Kelihos botnet decapitation exercise, the crooks behind the zombie network remain at large and might well try to resurrect the botnet once again, perhaps to even more devastating effect.

It’s back …

Kaspersky Lab researchers first warned in January that although the original botnet had been successfully neutralised and remained under control, a new zombie network based on similar malware had sprung up to take its place.

“Although the second botnet was new, the malware had been built using the same coding as the original Hlux/Kelihos botnet,” a statement by Kaspersky Lab explains. “This malware showed the second botnet had a few new updates, including infection methods and Bitcoin features for mining and wallet-theft. Similar to the first version, the second botnet also used its network of infected computers to send spam, steal personal data, and perform distributed denial of service (DDoS) attacks on specific targets.”

The second Kelihos (Hlux) botnet – which also featured significant changes in the communication protocol and new “features” like flash-drive infection – was disabled using a sinkholing operation that began last week.

Pwning our P2P pals

Both incarnations of Hlux/Kelihos were peer-to-peer (P2P) type botnets, which means every compromised machine on the network can act as a server and/or client. As such Kelihos was able to operate without central command and control (CC) servers. To neutralise the more flexible P2P botnet, security experts first infiltrated the botnet with a network of machines under their control. These imposters then instructed infected hosts to look for instructions at a sinkhole under the control of security researchers, effectively rendering infected machines inert.

Over a short period, the sinkhole network increased its “popularity” in the network, which allowed more infected computers to be brought under Kaspersky Lab’s control, while preventing the malicious bot-operators from accessing them. As more infected machines were neutralised, the P2P architecture caused the botnet’s infrastructure to “sink” as its strength weakened exponentially with each computer it lost control of.

A few hours after security researchers started the takedown operation, around 21 March, the bot-herders tried to take countermeasures by rolling out a new version of their bot. However these attempts seem to have largely failed.

The sinkholing operation succeeded and the botnet has been rendered inoperable. With the majority of botnets connected to the sinkhole, Kaspersky Lab’s experts ran an audit to determine the geographical locations of compromised hosts. Kaspersky Lab has counted 109,000 infected IP addresses, the majority of which were located in either Poland or the US. Most (84 per cent) of the infected machines were running Windows XP.

The original Kelihos botnet takedown operation in September 2011 also involved a sinkholing operation. Kaspersky Lab worked with Microsoft’s Digital Crimes Unit, SurfNET and Kyrus Tech to disable the original botnet. At that time, Kaspersky Labs executed a sinkhole operation, which disabled the botnet and its backup infrastructure from command and control servers.

More details on the latest Kelihos takedown operation can be found in a blog post by Kaspersky Labs here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/resurrected_kelihos_botnet_dismantled/

Brussels hopes to establish a European Cybercrime Centre within the continent’s police agency Europol by the start of January.

The centre proposed by the European Commission will focus on thwarting online banking fraud, attacks against smartphones, and large-scale coordinated assaults on public services and infrastructure. Other priorities will include protecting social network profiles, halting ID theft and combating the sexual exploitation of children online.

National police agencies, government-run organisations and private sector technology firms across many countries are already grappling with these problems, of course. Eurocrats want the proposed anticrime squad to act as an intelligence and co-ordination hub, as explained in this statement issued on Wednesday:

The centre would pool European cybercrime expertise and training efforts. It would warn EU countries of major cybercrime threats, of new ways to commit online crimes and identify organised cybercrime networks and prominent offenders in cyberspace.

The centre would also be able to respond to queries from cybercrime investigators, prosecutors and judges as well as the private sector on specific technical and forensic issues. It would provide operational support in concrete investigations and help set up cybercrime joint investigation teams.

In related news, a European parliamentary committee put forward a draft directive on Tuesday calling for criminal laws against computer hacking to be enacted across all EU countries, with the maximum penalty set at two years or more, or at least five years if there are aggravating factors – such as financial motivation or attacks that cause widespread disruption.

The proposal also calls for measures to make companies liable for attacks carried out for their benefit and the outlawing of hacking tools.

One man’s hacking tool is another man’s penetration testing utility, of course. Fortunately the fine print of the proposals recognises this distinction, as explained in a blog post by Rik Ferguson of Trend Micro here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/eu_cybercrime_hub/

The American Federal Trade Commission (FTC) is making a mistake by leaving web and data companies to regulate themselves, privacy campaigner the Electronic Privacy Information Center (EPIC) said today.

Responding to the FTC’s report Protecting Consumer Privacy in an Era of Rapid Change (PDF) published yesterday, EPIC said the FTC “mistakenly endorses self-regulation and ‘notice and choice'” as the way to protect consumers from companies skimming their personal data.

The report (covered by The Register here) lays out the “best practice” it hopes companies will follow to protect data, and pushes hard on “Do Not Track” recommendations.

EPIC has clashed with the FTC before, over Google’s new unified privacy policy: EPIC claims that the FTC should have probed Google over the changes.

EPIC also said that the FTC should explain why it doesn’t use its Section 5 authority to enforce its decisions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/ftc_report_relies_too_much_on_self_regulation/