Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 11/02/07

Friday, November 02, 2007

Metaphisher Malware Kit Spotted in the Wild

Such crimeware botnet C&Cs entirely encompassing of banker trojans infected PCs can depress every financial institution's PR department who often talk more about SSL as the cornerstone of secure E-banking than they should, next to forwarding the responsibility for fraud prevention to the SSL secured customers under the umbrella of a signed e-banking contract. No Anti Virus Software, no E-banking for You mindset is greatly desired to at least slow down the emergence of such banking malware botnets. When you come across something like this, you get the cyber shivers, as it's done for pure massive banking frauds in a typical malicious economies of scale fashion. Once success is anticipated in the form of infecting as many PCs as possible, methods to steamline efficiency start emerging.

As I've once pointed out, one-time-passwords in everything and two-factor authentication is marketable, yet it's not the authentication process malware authors excel at breaking as they don't even have to. They "form grab" and "session grab" efficiently in a Nuclear Grabber style, the 1.0 version of the currently emerging e-banking malware.

Another related post on FortifySoftware's blog wisely debunks the notion that online banking is safer than physical banking as an executive tried to convince them.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Yahoo Messenger Controlled Malware

IM me a command, master. In the spirit of a previoust post on DIY Exploit Embedding Tools - a Retrospective, here's a very good example of malicious innovation in action - a trojan whose client is an instant messaging application - Yahoo Messenger in this case. Released in the middle of 2006, this malware with a nearly 100% detection rate by anti virus vendors, doesn't need any other client to control the infected PC, but Yahoo Messenger, making it a good example of malicious innovation and "creativity" in action. Key points :

- it's released by an Iranian group

- it's localized in 11 languages, MPack and IcePack are thankfully lacking behind at least so far

- instead of trying to figure out how to connect to the infected host's IP behind a now standard NAT implementation, the trojan only needs a Yahoo ID to use as a robot ID

- it's a great example of how IM applications can be used for both propagation, infection, and apparently C&C purposes

And just when I thought I've seen everything in the sense of botnets obtaining their commands using ICQ whitelists, and storm worm malware waiting for the infected party to authenticate via CAPTCHA then embedd a link to itself at a forum/blog given it cannot bypass the CAPTCHA, malicious parties again innovate with an analogy of reCAPTCHA in the form of TROJ_CAPTCHAR.A, which is more or less a logical development I mentioned in previous posts discussing how are Spammers and Phishers Breaking CAPTCHAs and a specific DIY CAPTCHA Breaking Service in question.

Dancho Danchev