Search the Community
Showing results for tags 'Banking'.
Reefa posted a topic in Security & Privacy NewsA new and relatively rare Zeus Trojan program has been found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim's computer. Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies. The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus. But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C. Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page. “Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.” Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as$2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection. The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USDto get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up. "The advent of a freshly coded new trojan malware application is not too common in the underground," Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future." The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts. HOW TO REMOVE PANDEMIYA TROJAN The Trojan can be easily removed with a little modification in the registry and command line action, as explained below: Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.Stay Safe! Source
Reefa posted a topic in Security & Privacy NewsLike most profitable criminal enterprises, the Shylock banking malware thrived because it was supported by a nimble infrastructure that allowed it to stay one step ahead of network and security monitoring capabilities, and the authorities. That race ended this week. Europol announced today that it, along with numerous law enforcement and industry partners had carried out a successful takedown of the Shylock infrastructure. The two-day culmination of the operation took place on Tuesday and Wednesday and was coordinated by the U.K.’s National Crime Agency and supported by Europol, the FBI, GCHQ in the U.K., and industry companies including Kaspersky Lab, BAE Systems Applied Intelligence and Dell SecureWorks. “Law enforcement agencies took action to disrupt the system which Shylock depends on to operate effectively,” Europol said in a statement. “This comprised the seizure of servers which form the command and control system for the Trojan, as well as taking control of the domains Shylock uses for communication between infected computers.” Few details were provided on the location of the command and control infrastructure, but Europol said it coordinated investigative actions with cooperation from authorities in Italy, the Netherlands, Turkey, Germany, France and Poland. CERT-EU, Europol said, was also instrumental in providing data on the malicious domains used by Shylock. No arrests were announced, though Europol said that previously unknown parts of the Shylock infrastructure were uncovered and additional law enforcement action may be upcoming. “It has been a pleasure for me to see the international cooperation between police officers and prosecutors from many countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the EU,” Troels Oerting, head of the European Cybercrime Center at Europol. “It’s another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved for their huge commitment and dedication.” Major takedowns of botnets and other cybercrime operations are quickly becoming commonplace. Though usually not a permanent solution, takedowns such as this one and the recentGameover Zeus takedown, which also impacted the Cryptolocker infrastructure, indicate improving cooperation between international law enforcement. “The NCA is coordinating an international response to a cybercrime threat to businesses and individuals around the world,” said Andy Archibald, Deputy Director of the NCA’s National Cyber Crime Unit in the U.K. “This phase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we are using partnerships across sectors and across national boundaries to cut cybercrime.” Shylock, like Zeus, targeted banking credentials. Victims were usually tricked or lured into clicking on a malicious link that infected computers with the Trojan. Shylock surfaced in 2011 and at first was limited to the U.K., but quickly expanded into a global operations concentrating on victims in Europe and the United States. Online banking customers were victimized by Shylock’s man-in-the-browser style attacks against apredetermined list of as many as 60 banks. The Trojan would sniff out banking credentials and loot accounts. “Banking fraud campaigns are no longer one-off cases. We’ve seen a significant rise in these kinds of malicious operations,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab. “To fight cybercrime, we provide threat intelligence to law enforcement agencies all over the world and cooperate with international organizations such as Europol. Global action brings positive results – an example being the operation targeting Shylock malware.” Golovanov said in 2013 the number of cyberattacks involving malware designed to steal financial data increased by 27.6 percent to reach 28.4 million. The attackers behind Shylock were also careful to hide its tracks. Like other similar malware, such as versions of PushDo, Zeus and TDL/TDSS, Shylock made good use of a domain generation algorithm to send stolen data back to the attackers. The DGA feature sidestepped detection and research efforts effectively, experts said. One version of Shylock that surfaced in January 2013 was capable of spreading through Skype, in addition to network shares and even removable USB drives. Ultimately, Shylock could also steal browser cookies, use web injects on infected browsers and download and execute files on compromised machines. This article was updated at 12:15 p.m. ET with comments from Kaspersky Lab. Source