Mal-Aware.org

Secure Science Corporation released a graph on their surveillance of a carding forum that stole a minimum of 21,000 credit/debit cards over the past 3 months. The graph highlights the top 10 financial institutions and the amount of loss. According the statute in the 9th circuit, each card is valued at $500.00 on average. This number conservatively states that one carding forum can cause over $10,500,000.00 in loss in 3 months.

Click image to enlarge.

Brian Krebs’ SecurityFix Blog has an article describing the “real” numbers behind the data theft business. For the samples, he targeted only one phishing group’s success and announced the numbers; over 13,000 logins stolen in one day including 3,536 credit cards, 255 paypal accounts, 1,038 ebay accounts, and 2,609 hotmail accounts.

Secure Science Corporation released an advisory regarding the fact that the latest Pharming techniques utilized within malware has broken SSL. Chapter 5 of Phishing Exposed, a book by Lance James, who happens to work for Secure Science, demonstrated this technique in his book as an upcoming threat that phishers will take advantage of. The report on how this SSL Pharming attack occurs can be found on the advisories page at Secure Science.

The Register has a story covering the release of IBM’s 2005 Global Business Security Index report, stating that “Global malware outbreaks decreased last year only to be replaced by smaller scale, stealthier attacks targeted at specific organisations or individuals, and designed to extract sensitive information. Financial gain has become the number one motive for hackers.”

IBM also predicts that in 2006 “Criminals will focus their efforts on convincing end users to execute the attack instead of wasting time in lengthy software vulnerability discovery.”

The story from The Register can be found here and another good review of the report from Technology News Daily can be found here.

Here’s an interesting event going on from CSRRT-LU:

Sometime ago, we made the [[Honeylux]] contest and it was a very funny
and interesting contest. Now inside various projects at CSRRT-LU, we
are collecting a lot of undefined malware. We would like to give the
ability to all the people that are interested to better understand
what malware is doing. So if you want to give a try and maybe
win… just pick the following files and read the very basic rules.

=== The malwares to be analyzed ===

* Files X
http://www.csrrt.org.lu/wiki/mlcontest/edb2ade8bca0a6b82b9d160ca40db8e5
- Checksum MD5 edb2ade8bca0a6b82b9d160ca40db8e5 (from automatic
malware collection filename)
* Files Y
http://www.csrrt.org.lu/wiki/mlcontest/21dad79747a3293293366fe5234575eb
- Checksum MD5 21dad79747a3293293366fe5234575eb (from automatic
malware collection filename)
* Files Z
http://www.csrrt.org.lu/wiki/mlcontest/76d49cddb57ff0703db82158e900f245
- Checksum MD5 76d49cddb57ff0703db82158e900f245 (from a Luxembourgish
Honeynet)

=== Rules ===

You are free to use whatever tools or techniques you like, provided
that the jury is able to really interpret your results. Provide also
the name of the tools you used and how you used them. Nonetheless you
should explain your tools and techniques in your analysis and cite
references to resources to allow others to learn by example.

You can enter submissions as a team but there will only be one price
given to the team, so up to you then to decide how you share the
price. :-))

All submissions must be timestamped prior to 15 May 2006 00:00 CET.

Submissions must be sent to malwarecontest@csrrt.org

Entries must be written in English.

”’Please keep in mind that the files are malware so great care must
be followed when analyzing.”’

=== CSRRT-LU ===

CSRRT-LU is a computer security research and response team association
localized in the Grand-Duchy of Luxembourg. CSRRT-LU engages in
advanced computer security development and research projects in order
to increase security awareness and advancement especially in
Luxembourg but also on an international level. CSRRT-LU is in close
partnership with research institutes, the industrial sector and
governmental institutions.

CSRRT-LU provides a cooperative and virtual organization for working
with individuals, groups and industries. Everybody is welcome to
participate in the various research projects in computer
security. Please check the participation page for more information on
how to help.

CSRRT-LU is also organizing the hack.lu conference.

From the bad ‘ol days of phishing malware, Berbew (something seen in ‘03 and ‘04 mainly) is back on the scene as a trojan, and a worm. Either some group has made a variant with some complications to it, or they merely decided to get back in the scene and add some improvements. This version comes in 2 main parts, the worm to spread, and the trojan to steal. Here is my analysis of this so far:

Thanks to Jose Nazario for the samples!

History:
Drops C:\WINDOWS\system32\Jmlidaek.exe &
C:\WINDOWS\system32\Igikbo32.dll (This appears to be a mere file handler
api)
Registry Value Set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad,
IIDGHBEJ
Then Jmlidaek.exe drops C:\WINDOWS\system32\IIDGHBEJ.exe

The IIDGHBEJ.exe is the worm that propagates the data by attempting to
log into LAN $IPC shares through port 445.
It looks like it binds a HTTP Server onto the victim port 80 and tells
the other computers to grab it from the previous victim.
the IIDGHBEJ.exe (worm) is scanning the 10/172/192 ranges.

The boot.sys file sets a new registry value:
HKLM\SYSTEM\ControlSet001\Control\Session Manager,
PendingFileRenameOperations

If a user logs into a bank, such as bankofamerica.com the Jmlidaek.exe
(trojan) file will write a file to the system such as:
C:\WINDOWS\system32\datkkq32.dll which houses the logged data in this
format:

http://www.bankofamerica.com/ 0:ui_mode:question
5:Current_Passcode:234234234234 8:from:homepage 9:Customer_Type:CA
A:pmbutton:false E:id:******* F:rembme:Y 10:pc:******* 11:state:CA
12:country:null
13:links:https://boaccn.fnfismd.com/bankofamerica/ccn/ccnlogin.asp
14:links:/deposits/checksave/index.cfm?template=check_acct_choices
15:links:https://www.bankofamerica.com/deposits/checkorder/
16:searchCustom__passThrough:true 18:country:USA
19:mapAndList:mapAndList 1E:searchCustom__locationType:BANKINGCENTERS
1F:searchCustom__locationType:ATM |
SearchSearch | |Enter Online ID:|Save this online
ID|Enter Passcode:|Account in: the following geographical location|Sign
In | Service My Mortgage Online Investing Future Scholar
Military Bank OnlineGo |Open an Account| Checking
Accounts Savings Accounts CDs Credit Cards Mortgages Home
EquityGo |Account Services| Reorder Checks Set up direct
deposit Request a Check Card Link accounts Change Address Change Phone
NumberGo | |Address: |City: |or |ZIP Code: |Banking
CentersATMs |Go|More Location Search Options
https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller
0:Access_ID:question 1:reason:reset_request_ca
3:reason:create_passcode_ca 5:reason:resetid_request_ca
7:Customer_Type:CA 8:INVALID_ID_COUNTER:1 9:portal:CA
A:server_check:false B:state:CA E:Cache:******* F:pmbutton:false
10:Access_ID:******* 11:rembme:Y 12:Current_Passcode:null
| | | |
|Enter Online ID:|(5 - 25 numbers and/or letters)|(5 - 25 numbers and/or
letters)| Save this online ID (How does this work?) |Enter Passcode:|(4
- 12 numbers and/or letters)|(4 - 12 numbers and/or letters)|Sign In
|Reset passcode |Forgot or need help with your ID?

This is pertinent to what Secure Science has seen in ‘03 and ‘04 with
Berbew log data (pslogs.txt).

The blind drop appears to be down but this malware was trying to POST
requests to www.vtb.ru/wcef.php

The dropped files appear to be packed with UPX, and are trivially
accessible.

Please let me know if there is anything else you guys want detailed on this.

-Lance James