Thursday, August 30, 2007

Article: A walk on the dark side

Found interesting article on one of the world's worse company that caters crackers and spammers.
Article link from: economist.com
=============================================

A walk on the dark side

Aug 30th 2007
From Economist.com

These badhats may have bought your bank account

ACCORDING to VeriSign, one of the world’s largest internet security companies, RBN, an internet company based in Russia’s second city, St Petersburg, is “the baddest of the bad”. In a report seen by The Economist, VeriSign’s investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.

In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not registered as a company; its senior figures are anonymous, known only by their nicknames. Its web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for customers. Those who want to use its services contact it via internet messaging services and pay with anonymous electronic cash.


But the menace it poses certainly exists. “RBN is a for-hire service catering to large-scale criminal operations,” says the report. It hosts cybercriminals, ranging from spammers to phishers, bot-herders and all manner of other fraudsters and wrongdoers from the venal to the vicious. Just one big scam, called Rock Phish (where gullible internet users were tricked into entering personal financial information such as bank account details) made $150m last year, VeriSign estimates.

Plenty of other internet companies sail close to the wind—hosting unregulated online gambling for example. But according to a VeriSign investigator, “the difference is that RBN is solely criminal”. The pricing depends on the level of complaints. A discreet organisation pays little; one that attracts a lot of unwelcome attention, forcing RBN to take expensive countermeasures, has to pay more.

Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e-mails) to malware known as “trojans” that sit inside a victim’s computer collecting passwords and other sensitive information and sending them to their criminal masters.

A favourite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a programme such as Corpse’s Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth.

RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank’s security director belonged. RBN-based cybercriminals replied by crashing the bank’s home-page for three days.

What can be done? VeriSign has tracked down the physical location of RBN’s servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. “RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks,” says VeriSign. The head of RBN goes under the internet alias “Flyman”; his uncle is thought to be a senior St Petersburg politician. Repeated e-mails to RBN’s purported contact addresses asking for comment have gone unanswered.

Companies can simply block access to any site registered at an RBN IP address. But that will not help most victims, such as those who receive infected e-mails. VeriSign says only strong political pressure on Russia will make the criminal justice system there deal with this glaring example of cyber-illegality.




Sunday, August 26, 2007

Top 5 malwares

Current HOT malwares:-
1. Virtumonde - This is well known mystery little sucker that gives users with Fake Alert and popups with rogue antispyware product advertisements like Winantispyware 2007, DriveCleaner etc.. informing users that their computer is not protected from bogus virus.
The big issue with this Virtumonde (aka; Vundo, FakeAlert, Conhooks) is very users have differnt sets of Virtumonde which means threats can change file names and it's content to avoid detection. I've heard Virtumonde can re-generates every hour into newer variants.

2. Adware.Agent variants - This is very similar to Virtumonde in behavior, this threat also causes popups informing users to buy some bogus programs to clean out computer problems.

3. Maxifies & PurityScan - Also causes popups, usually hijacks wedsite to some bogus sites like "Test your Internet Speed" or some "dating sites" - then when user clicks to continue to test speed of their Internet or to find cyber lovers - then user's computer will be hijacked and start downloading hips of malware on to their computers. I usually find them through many freebie sites such as downloading ringtone, screensavers, wallpapers, games and mp3s etc..

4. Trojan.Popuper - This threat disguise itself as video or audio codec, usually invites users to some porn or dating or free music/movie trailers sites then informing users that their Windows is missing some essential video codecs to display their videos, after user clicks to install codecs, their PC gets hijacked and displays hips of popups - some what similar to Virtumonde stuffs (and they usually are bundled with Adware.Agents as well).
[Myspace.com] had this ealier, which many hackers can setup bogus profile on myspace.com and invites users to be friend.

5. Free game trojan - This can be very risky as I have seen so many trojans that bundled with free games & screensaver, I had few MDT logs showing no sign of malware but had free Porn games or poker games. many users with repeat detection also suffers from their istalled programs that keeps re-inserting trojans on to user's computer after scan & fix. This sort of problem can't be fix completely without uninstalling risky games.

Global Virus Map