Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Instant Messaging E-commerce Exploits


  • Please log in to reply
1 reply to this topic

#1 TeMerc

TeMerc

    Countermeasures Team Leader


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:07:07 PM

Posted 15 March 2006 - 10:14 AM

Well after nearly 24 hours of nervous twitching and countless hours of tweaking and adding new info, PG finally got this article prepared and done. Turns out there was so much info, it will be broken up into two separate articles, the second of which wi enjoy the read.


by Chris Boyd, Security Research Manager; Wayne Porter, Sr. Director Greynets Research

Has it been too long? Withdrawl symptoms after the last bust? I can only apologise - but when you're defending the Net from Suckers (Kung-Fu style), sometimes you really have to deep-dive before you slam the bad guys in a ditch.

Usually I like to build up to the big payoff at the end of a lengthy tease. However, this bust is different so excuse me while I drop ninety tons of planet Earth on you.

We have, by means of a hot tip from a kickass guy named Rince, (and numerous chats since then...he social engineered those hax0rs good) found and analysed over 40 files, hunted down the connections between them all and uncovered a ring of Botnet herders using a custom built script that, powered by remote tools, scans vulnerable payment databases and attempts to steal customer details - names, addresses, credit card numbers - the whole nine yards. Even better, there is evidence to suggest this was being fired around...you guessed it, via Instant Messaging.

Posted Image VitalSecurity.org


Acting on an anonymous tip, FaceTime Security Labs researchers have uncovered two "botnet" networks that collectively represent up to 150,000 compromised computers, one of which is being used as a vehicle to fraudulently scan desktop and back-end systems to obtain credit card numbers, bank accounts, and personal information including log-ins and passwords. The operators could potentially launch these scans from any computer on the botnet to mask their actual location.

In addition, after systematic research of the various groups involved, we have uncovered a number of websites where up to forty (40) or more files are being shared around this community, and reworked for individual Botnets to push the problem even further. Commercially available remote admin tools (similar to the ones employed here) are used to gain complete access of the end-user's PC - files can be uploaded, downloaded, or whatever the Botmaster feels like doing with the machine.

However, what the Botnet master really feels like doing, is downloading the payment database application to your PC, then scanning for misconfigured shopping carts using you as the fall guy.

Let us explain further...if an end user clicks on a malcious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a "beh.exe". The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user's computer is compromised and can be accessed remotely with additional malware applications installed on the desktop.

Posted Image SpywareGude


Look for more to come from Chris and Wayne on this in the near future as they provide even more chilling details on how the bot herders carry on their business of reaping in the money and ripping off even their own so called business associates


Moderator edit: added quotation notation to avoid confusion. jgweed

Edited by jgweed, 15 March 2006 - 11:56 AM.

Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

BC AdBot (Login to Remove)

 


m

#2 TeMerc

TeMerc

    Countermeasures Team Leader

  • Topic Starter

  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:07:07 PM

Posted 16 March 2006 - 01:27 PM

The Digital Underground: Interview with RinCe
by Chris Boyd, Security Research Manager; Wayne Porter, Sr. Director Greynets Research

In Part 1, we looked briefly at the history of the attack and what the potential dangers were. This time round, we're talking to the individual who made the initial tip-off and assisted with gathering valuable intelligence, some of which has since been forwarded to the relevant Federal Authorities. If you're sitting comfortably, take a detour into the Digital Underground - keep your arms inside the booth at all times...

(Note - Paperghost is the online alias of FaceTime Security Research Manager Chris Boyd, RinCe is the individual who came forward with key intelligence and the chat was conducted via Instant Messaging).

Paperghost: Hi RinCe. We might as well go right to the beginning – have you always been into computers, or is it a recent thing?

RinCe : Basically, I’ve been brought up with computers all my life since I was 6, playing Warcraft II with my uncle on a LAN. I got into 'hacking' through leaving college - it was something to pass the time. I also hosted a few "hacker" websites for a short while and that got me interested in the scene. I grew out of it rather quickly as I had a taste of what it’s like to be on the receiving end of a hacker.


Paperghost: Really? What happened, did someone hack you?

RinCe: In a word, yeah. I know it sounds pathetic, but I lost my entire email account to a Trojan and lost 3 job interviews because I never got the Email back in time. It made me realise something so small can affect somebody's life like that in a major way.

Paperghost: …and that put you off the "scene", so to speak? I can imagine you'd be pretty wound up by that. We come across lots of people who got burned by either being a pusher or a victim, and it can have some pretty extreme effects.

RinCe: Yep, absolutely. So after that, I stopped the child’s play and that’s what leads to me reporting a group of hackers.

Paperghost: And just so people know, how did this come about initially?

RinCe: I was on Digg.com and was reading an article of yours, and saw the “Report a Sucker” button - I clicked and we got talking! At first, I was just reporting a Botnet that I knew about and the usual Adware stuff…

Full Interview @ SpywareGuide
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users