Skip navigation
Help

Spamming

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.

In "The anti-virus age is over," Graham Sutherland argues that the targeted, hard-to-stop attacks used by government-level hackers and other "advanced persistent threats" are now so automatable that they have become the domain of everyday script-kiddie creeps. Normally, the advanced techniques are only used against specific, high-value targets -- they're so labor-intensive that it's not worth trying them on millions of people in order to get a few more machines for a spam-sending botnet, or to extract a few credit-card numbers and passwords with a key-logger.

But all attacks tend to migrate from the realm of hand-made, labor-intensive and high-skill techniques to automated techniques that can be deployed with little technical expertise against millions of random targets.

Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write code generators these days. By the time an identifying pattern is found in a particular morphing engine, the bad guys have already written a new one. When you consider that even most browser scripting languages are Turing complete, it becomes evident that the same malware behaviour is almost infinitely re-writeable, with little effort on the developer’s part. Behavioural analysis might provide a low-success-rate detection method, but it’s a weak indicator of malintent at best.

We’ve also seen a huge surge in attacks that fit the Advanced Persistent Threat (APT) model in the last few years. These threats have a specific target and goal, rather than randomly attacking targets to grab the low-hanging fruit. Attacks under the APT model can involve social engineering, custom malware, custom exploits / payloads and undisclosed 0-day vulnerabilities – exactly the threats that anti-malware solutions have difficulty handling.

This was the premise and theme of my novella Knights of the Rainbow Table (also available as a free audiobook). It's a funny old world.

The anti-virus age is over.

0
Your rating: None

A man who has won about $1.5 million in poker tournaments has been arrested and charged with running an operation that combined spam, Android malware, and a fake dating website to scam victims out of $3.9 million, according to Symantec.

Symantec worked with investigators from the Chiba Prefectural Police in Japan, who earlier this week "arrested nine individuals for distributing spam that included e-mails with links to download Android.Enesoluty—a malware used to collect contact details stored on the owner’s device," Symantec wrote in its blog.

Android.Enesoluty is a Trojan distributed as an Android application file. It steals information and sends it to computers run by hackers. It was discovered by security researchers in September 2012.

The suspect flagged as the "main player running the operation" is 50-year-old Masaaki Kagawa of Tokyo, president of an IT firm named Koei Planning and a poker player with success in high-stakes tournaments around the world.

Masaaki Kagawa wins a big pot in the Aussie Millions Cash Game Invitational a few years ago.

Kagawa has reportedly won about $1.5 million in tournaments dating back to 2008 (minus entry fees). His most recent score was a third place finish in the 2013 Aussie Millions Poker Championship in February, which netted him $320,000.

Kagawa was already under investigation while playing in that tournament. Symantec explains:

From our observations, the operation began around September 2012 and ended in April 2013 when authorities raided the company office. We confirmed around 150 domains were registered to host the malicious apps during this time span. According to media reports, the group was able to collect approximately 37 million e-mail addresses from around 810,000 Android devices. The company earned over 390 million yen (approximately 3.9 million US dollars) by running a fake online dating service called Sakura in the last five months of the spam operation. Spam used to lure victims to the dating site was sent to the addresses collected by the malware.

The malware allegedly used in this operation appears to share source code with Android.Uracto, a Trojan that steals contacts and sends spam text messages to those contacts. Scammers maintaining Android.Uracto have not yet been identified.

0
Your rating: None
Original author: 
Chauncey Plantains

0
Your rating: None
Original author: 
Dan Goodin

Wikipedia

Coordinated attacks used to knock websites offline grew meaner and more powerful in the past three months, with an eight-fold increase in the average amount of junk traffic used to take sites down, according to a company that helps customers weather the so-called distributed denial-of-service campaigns.

The average amount of bandwidth used in DDoS attacks mushroomed to an astounding 48.25 gigabits per second in the first quarter, with peaks as high as 130 Gbps, according to Hollywood, Florida-based Prolexic. During the same period last year, bandwidth in the average attack was 6.1 Gbps and in the fourth quarter of last year it was 5.9 Gbps. The average duration of attacks also grew to 34.5 hours, compared with 28.5 hours last year and 32.2 hours during the fourth quarter of 2012. Earlier this month, Prolexic engineers saw an attack that exceeded 160 Gbps, and officials said they wouldn't be surprised if peaks break the 200 Gbps threshold by the end of June.

The spikes are brought on by new attack techniques that Ars first chronicled in October. Rather than using compromised PCs in homes and small offices to flood websites with torrents of traffic, attackers are relying on Web servers, which often have orders of magnitude more bandwidth at their disposal. As Ars reported last week, an ongoing attack on servers running the WordPress blogging application is actively seeking new recruits that can also be harnessed to form never-before-seen botnets to bring still more firepower.

Read 9 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Sean Gallagher

Original photo by Michael Kappel / Remixed by Aurich Lawson

Have a plan to steal millions from banks and their customers but can't write a line of code? Want to get rich quick off advertising click fraud but "quick" doesn't include time to learn how to do it? No problem. Everything you need to start a life of cybercrime is just a few clicks (and many more dollars) away.

Building successful malware is an expensive business. It involves putting together teams of developers, coordinating an army of fraudsters to convert ill-gotten gains to hard currency without pointing a digital arrow right back to you. So the biggest names in financial botnets—Zeus, Carberp, Citadel, and SpyEye, to name a few—have all at one point or another decided to shift gears from fraud rings to crimeware vendors, selling their wares to whoever can afford them.

In the process, these big botnet platforms have created a whole ecosystem of software and services in an underground market catering to criminals without the skills to build it themselves. As a result, the tools and techniques used by last years' big professional bank fraud operations, such as the "Operation High Roller" botnet that netted over $70 million last summer, are available off-the-shelf on the Internet. They even come with full technical support to help you get up and running.

Read 63 remaining paragraphs | Comments

0
Your rating: None
Original author: 
timothy

An anonymous reader writes "A new piece of malware propagating across Skype has been discovered that tries to convince the recipient to click on a link. What makes this particular threat different is that it drops a Bitcoin miner application to make the malware author money. While malware has both spread on Skype and mined Bitcoins before, putting the two together could be an effective new strategy."

Share on Google+

Read more of this story at Slashdot.

0
Your rating: None
Original author: 
Sean Gallagher

Over a year after the arrest of eight of its members in Russia, the alleged leader of the original Carberp botnet ring that stole millions from bank accounts worldwide has been arrested, along with about 20 other members of the ring who served as its malware development team. The arrests, reported by the news site Kommersant Ukraine, were a collaboration between Russian and Ukrainian security forces. The alleged ringleader, an unnamed 28-year-old Russian citizen, and the others were living throughout Ukraine.

Initially launched in 2010, Carberp primarily targeted the customers of Russian and Ukrainian banks and was novel in the way it doctored Java code used in banking apps to commit its fraud. Spread by the ring through malware planted on popular Russian websites, the Carberp trojan was used to distribute targeted malware that modifies the bytecode in BIFIT's iBank 2 e-banking application, a popular online banking tool used by over 800 Russian banks, according to Aleksandr Matrosov, senior malware researcher at ESET. The botnet that spread the malware, which was a variant of the Zeus botnet framework, also was used to launch distributed denial of service attacks.

In February of 2011 the group put its malware on the market, selling it to would-be cybercriminals for $10,000 per kit—but it pulled the kit a few months later.

Read 1 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Dan Goodin

Aurich Lawson / Thinkstock

Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of "Darkleech," a mysterious exploitation toolkit that exposes visitors to potent malware attacks.

The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet's most popular Web server software. Once it takes hold, Darkleech injects invisible code into webpages, which in turn surreptitiously opens a connection that exposes visitors to malicious third-party websites, researchers said. Although the attacks have been active since at least August, no one has been able to positively identify the weakness attackers are using to commandeer the Apache-based machines. Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren't ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes.

Researchers also don't know precisely how many sites have been infected by Darkleech. The server malware employs a sophisticated array of conditions to determine when to inject malicious links into the webpages shown to end users. Visitors using IP addresses belonging to security and hosting firms are passed over, as are people who have recently been attacked or who don't access the pages from specific search queries. The ability of Darkleech to inject unique links on the fly is also hindering research into the elusive infection toolkit.

Read 14 remaining paragraphs | Comments

0
Your rating: None