The (not much) sensitivity of some

Yesterday we woke up with sad news about Patrick Swayze’s passing away. However, some people were already prepared for doing bussiness with this event. I am not talking about journalists trying to be the first to carry the report of actor’s death. Spamdexing begun from the moment of Mr. Swayze’s death, as indicated at F-Secure, showing that in addition to committing fraud, some people are not sensitive enough.

It seems that any method is useful… Each interesting news means an increase of a risk, mainly with rogueware attacks combined with Search Engine Optimization, as happened with Michael Jackson’s death, Obama’s election, 9/11 anniversary, and more recently with tennis star Serena Williams’ incident at US Open.

This kind of malware is currently positioned as an alternative to traditional spam, which doesn't work really anymore. Time ago it was thought that all the data collected by profiles’ collectors would be useful, among other things, for getting better spam, customized for victims’ interests and in their own language. However, this is what I find in a spam account:

Just some usual spam about social awareness, such as saving the Amazon, but don’t be fooled, you can save the Amazon in many ways, as this one ;)

Miguel López-Negrete

S21sec labs

ENISA colaborating with S21sec, warns of alarming increase in ATM crime

ENISA warns of alarming increase in ATM crime Annual cash machine losses in Europe approach EUR 500 million: ENISA provides advice for consumers.

With the annual cost of ATM crime in Europe approaching half a billion Euros, ENISA, the European Network and Information Security Agency, is urging consumers to be more aware of the risks and take precautions to avoid personal loss. The rapid growth in the number of ATMs, combined with more sophisticated attacks and fraud has resulted in an alarming 149% rise in ATM attacks in 2008.

These worrying findings, along with information and case studies highlighting the different ATM crimes and recommendations to help detect and prevent them, are published this week in a paper by ENISA colaborating with S21sec, entitled ‘ATM Crime: Overview of the European situation and S21sec golden rules on how to avoid it’.

The number of ATMs in Europe increased 6% last year to almost 400,000, with many now found in remote site locations such as convenience stores, airports and petrol stations. Seventy-two percent of European ATMs are located in just five countries: UK, Spain, Germany, France and Italy.

Cash taken illegally from ATMs is still the preferred method for criminals who obtain pin numbers using a wide range of techniques from ‘shoulder surfing’ to complex skimming techniques. This can involve the usage of a small spy camera, a false PIN overlay and even fake machines; while increasingly Blue Tooth wireless technology is used to transmit card and PIN details to a nearby laptop computer. During 2008 alone, a total of 10,302 skimming incidents were reported in Europe.

Other methods used to extract money include trapping and then retrieving users’ cards, stopping withdrawals in the middle of a transaction only to complete them when the victim has left and even trapping cash in the machine. Organised criminal gangs are also using sophisticated phishing techniques and hacking into bank computer systems and web sites to obtain PIN and account information.

ATM burglaries and physical attacks have also seen an increase by 32% over the last 12 months from ram raids and explosions to the use of rotary saws, thermal lances and diamond drills.
“Looking ahead, ATM crime is likely to become even more attractive as the latest generation of ATMs is designed to dispense other services and products such as phone top ups and stamps. The first line of defence against ATM crime is increasing awareness of the risks so that users can take simple precautions such as shielding their PIN when entering it and by keeping alert to any signs of tampering or suspicious activity at an ATM.”

The paper published this week by ENISA recommends that further information and advice are provided nationally in EU Member States by banks, financial institutions, payment schemes and law enforcement agencies. As part of this process ENISA has drawn up its list of Golden Rules to offer maximum protection with minimum effort.

ENISA Golden Rules:

Choosing an ATM Machine

1. Don’t use ATMs with extra signage or warnings
2. Try to use ATMs inside banks
3. Don’t use freestanding ATMs

Physical surroundings

1. Use an ATM which is in clear view and well lit
2. Be cautious of strangers and check they are at a reasonable distance away

Making Operations

1. Pay careful attention to the front of the machine for tampering
2. Pay attention to the card reader for signs of additional devices
3. Look carefully for differences or unusual characteristics of the ATM’s PIN pad
4. Look out for extra cameras
5. Protect your PIN by standing close to the ATM and shielding the key pad
6. Report confiscated cards immediately
7. Beware of ATMs that don’t dispense cash and non-bank ATMs that don’t charge fees

Statement Reviews

1. Frequently review your account statements
2. Report any suspicious activity immediately

Drive-by example

The unnoticed download attack aka "drive-by downloads" was comment out on our blog in relation to his form of work. But it's good to do a short approximation to see in more detail this kind of attacks working in our machines.

The current techniques for delivering malware can be divided in two categories:

1. Social engineering techniques: used by the attackers to convince the visitors to download and run malware. All us have seen pages with doubtful analysis techniques informing us that our machine is plenty of virus and we need urgently download a soft{mal}ware to clean our machine.

2. Browser vulnerabilities: It's the most difficult method and transparent for us the users. This is the most common infection method as the graphic below shows. Take a look at "All your iFRAMEs point to us" to see more detail about this kind of attack and the underlying infrastructure.

Original source

The "Digital World, Digital Life" report show that we spent almost 30% of our leisure time browsing the web. Imagine a normal situation, we are browsing through our favourite news portal, click on some link to see the original source, now another one to see the comments and so on until we end with several visited webs. One of this websites we have visited recently left us a present MADE IN THE BAD GUYS.

The following is a small real example of what happened in our 'controlled' machine simply by visiting a website carrying a drive-by download attack and without human interaction, remarkably we only spent almost 30 seconds visiting the site and this succedded:

1. The iexplore.exe process created the binary C:\WINDOWS\Temp\svhost32.exe
2. This binary modified various registry entries in order to:
Disable the cache: "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache"
Disable cookies: "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies"
Disable history: "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History"
Enable the proxy browsing: "SetValueKey","HKLM\SYSTEM\ControlSet001\Hardware Profiles\000\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable"
Configure the proxy: "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer"
And create the file: "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 \1YMCNUWN\hosts[1].txt"
After all the binary c:\i1gb0a.exe was created and this file make the sdra64.exe binary with strange purposes.

All of this was created in our S.O without our permission and while we were completely unaware of the underlying system changes. The full analysis of the attack with the binary files and network connections done would take several hours of hard work out of the scope of this post.

The main purpose of this post is make people aware of the prevalence of this kind of attack specially to the two main targets affected; us the users and the website owners that support this attack without be aware of it.

As Elvira comment out in the "Drive-by downloads" post, not visiting content adult sites would not dismiss the probability of suffer this attack. Any website could store this attack. One of the advices that usually works it's browsing the web with update software in order this websites couldn't exploit a browser vulnerability or some of his plugins which are the main attack vector of this kind of attack.

Related to the website owners, take care of your site code specially of iFRAMEs labels, the logs and stats traffic are a good source to look for strange patterns before someone complaint to us because we're collaborating spreading malware code, or potentially worse, tarnished our reputation.

Emilio Casbas
S21sec e-crime

Interview with the vampire

Meanwhile we were analyzing a sample of a trojan, suddenly an unexpected event occured. The keyboard and the mouse of the infected machine, where the analysis took place, came to life.
The first thought was that it is a problem with the keyboard, but after a few seconds later it was clear: those characters are not just some kind of random characters, like when the keyboard stucks. Somebody was typing a message to the debugger's window. It was like a ghost in the machine:

There was no doubt, the botmaster had been observing our infected computer and decided to contact with us through the trojan. That the remote controlling is one of the functionalities of this bot.

As taking advantage of the situation we made some question to our strange visitor, you can find a transcription of our chatting with the trojan's author, here:

[botmaster] why dont you stop this sh*t
do you want a little bit of help?
do you want me to explain how this plugin works?
it makes me laugh watching how you are trying to disassemble it during hours
of course, i am not going to send you the source code, sorry
[S21sec e-crime] how do you do with this trojan?
[botmaster] very bad, there are people attempting to catch and dismantle it
[S21sec e-crime] you always have a time window. no success?
[botmaster] no, unfortunately. the problem is the banks, not the trojan itself
[S21sec e-crime] if i am not wrong, it's a multi-banking trojan, isn't it?
[botmaster] depends on the configuration
[S21sec e-crime] is it your first banking trojan? have you made it from scratch?
[botmaster] not really. what i can tell you, it seems you have got the
idea how it works and no left much new thing to uncover. its pretty simple
well, apart of that, it allows you to control the PC like i do it now, nothing more.
[S21sec e-crime] do you have more trojans to set up a botnet? is it your first attempt?
[botmaster] right now i have 1500 online
[S21sec e-crime] and do you infect the machines or do you rent them?
[botmaster] well, i have to leave now, later we talk

Vicente Díaz, József Gégény
S21sec e-crime