Malware, download the money!

[Teacher]

Hello, cyberstalkers! Hello, random carders. Today's computers and smartphones store real money. Well, let them not be stored, but access to them is quite guaranteed! Therefore, we are now seeing that the good old methods, such as blackmail, extortion and fraud, are showing themselves at a new technological level. Meanwhile, we have a big review of modern malware that squeezes money from users.

Go:

As you know, the days of ideological virus writers have sunk into oblivion, capitalism has arrived in individual countries, and malicious code is now written almost exclusively on a commercial basis. Of course, the ideological people remained, but they are more likely suppliers of interesting chips and ways to bypass the security mechanisms of the Windows operating system, and other, more cunning people implement these developments in their malicious creations.

Harmfulness can be, so to speak, direct and indirect. Some Trojans focus on monetizing the hardware resources and computing power of end users. These include: organizing proxy and DDoS attacks, sending spam, bitcoin mining, cheating site visits (black SEO), clicking on advertising banners (click fraud). A prominent representative of the group is ZeroAccess. These malicious programs do not cause direct damage to the user. The only problems caused by such malware are computer slowdowns and crashes. And in modern conditions, when the computing power has become quite large, the user may not even suspect that his computer has become part of a botnet.

Other malware representatives cause significant harm to the user, including financial damage. This category includes: ransomware, which includes two varieties — lockers and encoders, although in recent years the boundaries between them are blurred; the fake anti-viruses that require the coin for the setting (it takes place in category "fraud"); malware designed to steal user credentials, including the systems of remote banking services (RBS), the "classic" members — Zeus and his followers — SpyEye and Citadel.

As you can see, shadow runner, law enforcement interest in these malware groups will vary. There is little interest in the first group, and a lot of interest in the second, since in the first case the user will move the axis at most, and in the second case they will run to the police with a report. There is an opinion that in this way some Trojan makers try to draw less attention to themselves and their crafts.

Further, some representatives of the second group will be considered.

There is a third group — spyware, both broad (spyware) and special (APT) orientation. This topic is now actively supported by all antivirus vendors, but this usually does not apply to ordinary users. In this case, monetization is achieved by the fact that such Trojans extract confidential information, for which customers are willing to pay a tidy sum.

It is alarming that many European firms (Gamma Group, Hacking Team) openly offer services for the mass installation of so-called "state" Trojans, which on paper are intended for law enforcement officers and special services, but in fact can be used by anyone who has the appropriate financial means. According to McAfee, the developers of the Citadel Trojan, which has already become a "classic", have now "gone into the shadows", and they began to introduce spy modules, and, apparently, also began to offer their services to government and commercial organizations engaged in obtaining information on the Internet.

That's all for now, cyberborn. See the continuation of this article on the channel a little later. Stay tuned. Then it will be even more interesting.

Continuation of the big Malware FAQa. Who hasn't read it yet - read the beginning on the channel above. Something that will be useful for us to earn money (for some people, for sure)

Go:

Winlockers are such winlockers
They first appeared in late 2007. They were widely distributed in the winter of 2009-2010, according to some reports, millions of computers were infected, mainly among Runet users. In the simplest case, after loading the OS or even before it (there were also such instances), a beautiful window was shown with the requirement to send a certain amount to attackers in any way in exchange for an unlock code. General advice from employees of antivirus companies — do not pay anything! The time of" honest " winlockers, which contain the functionality of auto-deletion by code, has long passed, and now this niche of cybercrime has been chosen by kids with exorbitant ambitions.

Numerous forums were filled with posts with generators and source codes of lockers. Here, for example, is a piece of art that you can't look at without laughing-Winlock by DragonGang. The size of the masterpiece is amazing - as much as seven meters! Written in the Delphi 7 environment. The unlock code 141989081989 is stored in the executable file in clear text. There is an opinion that the text was deliberately written in the style of the unforgettable Jamshut and the author was promoted to the entire Internet due to this (including in this article).

B]In the meantime, schoolchildren are hoeing the Slavic audience, "merchants" from the Trojan world are flooding abroad with winlockers.[/B] There is even a special term — multilocker. This is a locker that initially does not contain any resources — inscriptions, images, etc., but downloads them from the command center of intruders, while the downloaded content depends on the country, which is determined by the IP address. The main topic of multilokers is accusing the user of viewing pornographic materials with the participation of minors, you know yourself-this is strictly dealt with abroad. At the same time, as evidence, the victim is shown the pictures allegedly viewed by her, as well as the names, dates of birth and place of residence of the minors depicted in the photo. Recent developments have taken into account the mass distribution of laptops, which almost always have a built-in webcam: the user is filmed and then shown a photo, which further enhances the effect of the presence of Big Brother, that is, surveillance by the FBI or some other law enforcement organization.

Or here's a trick-scanning the history of visited sites in the browser. It's no secret that most of the world's male population periodically, ahem, admires naked women from the Internet. Therefore, when the user has a splash screen about the fine with the symbols of Interpol and a list of visited "hot spots" on the Internet, he does not have even a shadow of doubt that this is true.
Thus, the winlocker market was segmented: on the one hand, there are scriptkids with kulhatskers, on the other - "veterans" of Trojan writing, writing multilockers in the manner of botnets with their own control centers.

One of the most complex and highly professionally written Gapz bootkits It also has quite a lot of malicious locker modules in its arsenal. A component with this functionality checks the location of the infected computer by its IP address, and if the victim lives in Western Europe or America, the system is blocked and a window is displayed with a request to transfer a certain amount to the specified account. What distinguishes this locker is that it intercepts an image from a webcam connected to an infected computer and shows it in a window with a payment request (no wonder my camera is covered with electrical tape. I'm serious. — Editor's note).

A special feature is lockers that block access not to the operating system, but to any popular resources from the browser. In April, a flurry of requests from users about the inability to log in to the sites VKontakte, Odnoklassniki and Mail.ru. Instead of the corresponding Internet resources, the browser window displayed web pages with a message that the user's profile was blocked due to suspected hacking of the account, and a suggestion to enter their phone number. After entering the number in the SMS, a code is sent, which the user again must confirm via SMS. In fact, a certain amount of money is charged for sending this SMS. During the proceedings, it was established that all this is the tricks of malware, replacing the system file. rpcss.dll to your malicious code.

ESET defines this threat as Win32 / Patched. IB. The malware spoofs DNS queries, returning the IP addresses of servers controlled by attackers that contain web pages that mimic the target resource — vk.com, odnoklassniki.ru, mail.ru. The correct URL is displayed in the browser's address bar. Correct treatment method for all numerous Win32/Patched modifications.Most antivirus products don't have IB at the time of writing. For manual treatment, you need to take a clean one rpcss.dll, boot from the LiveCD and replace the malicious library with it. Original version rpcss.dll it must match the version, bit depth, and installed service packs of the installed Windows (Patched.IB works successfully in both XP and Seven, including x64).

Other threats of this type include the appearance of another modification of the Mayachok Trojan family. According to Dr. Web antivirus analysts, Trojan.Mayachok. 18607 is a completely independent version written "based on motives". As an example of imitation, the logic of the Mayachok Trojan was taken.1, which was widely distributed in the second half of 2011. The Trojan.Mayachok version is currently in use.2, which has bootkit functions. A characteristic feature of the Trojan.Mayachok family is the use of web-based injections.

We are enlightened, running in the shadows. And all those who are just starting on this difficult, but very exciting and profitable path. Continuation of this article on the channel a little later. Stay tuned.

 

[Teacher]

Continuation of the big Malware FAQa. Who hasn't read it yet - read the beginning on the channel above. Something that will be useful for us to earn money (for some people, for sure). But to know about such things in our difficult times is simply necessary for any self-respecting Internet user.

Go:

Pathetic GPCode followers

Cryptographers are probably the most unpleasant thing that you can pick up on these Internet sites of yours[/B]. All files of certain types, such as photos or Microsoft Office documents, are encrypted and require money for the decryption key. This problem is very relevant for small commercial firms that work with accounting using 1C products — especially since the concept of security in such offices, as a rule, is completely absent.

Trojan Ransom.Win32.Xorist cryptographers (in Kaspersky Lab's terminology) are now the most common cryptographers among Russian-speaking users. An English-language version is also available. If Xorist is successfully triggered, the user will see a cheerful text with the following content:

"FIFTEEN MEN FOR A DEAD MAN'S CHEST! Hi! People! Komon on board our "Flying Dutchman". Your computer is being boarded by a team of Somali pirates. Your files are encrypted by our marine cryptographer Bazon Hicks. If you are a wise and not a miser, not a crazy deputy from the LDPR faction, then we are ready to exchange your precious information for pathetic pieces of paper called grandmothers. Believe me, loot is evil — give it to us. Greedy and inadequate types are thrown overboard. Fun and resourceful discounts. You have three days before the ship sails. For negotiations, we are going to the mess hall, SOS to the soap Company number <CODE> <CODE><E-MAIL>"

As you can see, the guys picked up with humor. The dominance of Xorist is explained by building it using a builder that is easily accessible to greedy kids.

Here is another sample message from ransomware (Trojan.Encoder.205 and Trojan.Encoder.215):

All important data on this computer (documents, images, databases, mail correspondence, etc.) is encrypted using a unique cryptographic algorithm. Without special software, decrypting a single file using the most powerful computers will take about a year. In order to make encrypted files available for further use, you need to contact a specialist by e-mail: [email protected]. The response time can be up to 12 hours. Reinstalling the operating system won't help. An antivirus scan of files may damage them. Any change in the file structure will not allow you to restore it. If you receive threats to our address, your data will not be decrypted. Please note that files can only be decrypted using special software that only we have.

Trojan infection.Encoder.205 and Trojan.Encoder.215 occurs with the use of mass distribution of e-mail messages (spam). Executable file of the cryptographer named update.exe (written in Delphi) is hosted on remote servers, the shellcode that loads this file is located in a malicious Microsoft Word document and uses the exploitation of the CVE–2012–0158 vulnerability to launch it.

Individual developers show a little more ingenuity in the implementation of their ideas. This year, Dr. Web specialists recorded many cases of users being infected with the ArchiveLock Trojan in France and Spain.20. For encryption, it has on board the console version of WinRAR, with which it creates password-protected self-extracting archives with user files from a pre-compiled list. The password can be more than 50 characters long. Source files are cleared from Yandex. Disk so that they cannot be restored. Cybercriminals are incredibly impudent and demand $ 5,000 for decryption. ArchiveLock is distributed through bruteforce attacks on the RDP protocol.

To decrypt your precious files, you need to contact the specialists of antivirus companies. Domestic firms do this on a free basis and constantly release updated versions of decryptors for certain types of threats. Unfortunately, some of their types, such as GPCode, were too tough for them.

The 2011 version of GPCode can be considered a kind of "benchmark" It uses the Windows Crypto API and encrypts user files with a random 256-bit AES session key. The session key is stored in encrypted form and encrypted with a 1024-bit RSA public key located inside GPCode. To make it impossible to restore them using utilities such as PhotoRec or GetDataBack, encrypted data is written directly to the source file. This trick also makes it difficult to use the plain text attack method, which consists in determining the session key based on a pair of files — the original and encrypted ones.

To decrypt it, you need to transfer a certain amount of money using the details left by the attacker and send him this encrypted session key. It is decrypted using the private key (located in the attacker's possession) and sent back to the user, after which the files will be successfully decrypted. The only reliable protection against the impact of such programs is file backup. It is worth noting that the author of GPCode has been improving his brainchild since 2004! During this time, the code has come a long way from using" self-made " encryption algorithms to using fairly strong RC4 and AES algorithms in conjunction with RSA, which all IT specialists in the world cannot crack (yet).

In light of this, it becomes unclear why cryptographers of our time, such as Xorist, also use their own "mega-developments". It can be seen that modern cryptography, coupled with the need to use the Windows Crypto API or the free implementation of OpenSSL cryptographic functions, is not given to the current generation of coolhackers who have just discovered the logical XOR function.

We are enlightened, running in the shadows. And all those who are just starting on this difficult, but very exciting and profitable path. Continuation of this article on the channel a little later. Stay tuned.

The final part of the big Malware FAQa. Who hasn't read it yet - read the beginning on the channel above. Something that will be useful for us to earn money (for some people, for sure). But to know about such things in our difficult times is simply necessary for any self-respecting Internet user.

Go:

Attacks on RBS systems

The very idea of Trojans stealing the credentials of RBS users[/B]is not new. To counteract them, a two-factor authentication technology was invented. Many people probably know what it is, but for those who do not know, we will explain — in addition to the username and password, an additional element is used, which is a special code (the so — called mTAN — mobile transaction authentication number - mobile transaction authentication code), which is sent in SMS.

However, the methods of identity theft are becoming more sophisticated every year. The rapid development of technology, in particular the mass distribution of smartphones, plays into the hands of attackers and creates loopholes to bypass two-factor authentication. The Zeus and SpyEye families became pioneers in this business.

How it works:

1. A personal computer is infected in some way — for example, through a PDF or doc file sent by mail.
2. When a user logs in to the bank's website, the Trojan modifies the HTML page on the fly directly in the browser using web injection and adds the fields "Mobile Phone number" and "Mobile OS version" (Android, BlackBerry, iOS, Symbian or other).
3. After the user enters the data, it is sent to the attackers ' command server.
4. The user receives an SMS with a link to the app for their phone. In the terminology of antivirus firms, the applications were named ZitMo (Zeus-in-the-Mobile) and SpitMo (SpyEye-in-the-Mobile), and a little later CitMo (Carberp-in-the-Mobile) joined them.
5. Once secured on the smartphone, the attackers have everything they need — a username, password, and SMS delivery channel with a code, and the transaction request is sent to the bank.
6. The bank sends you an SMS.
7. The Trojan in the smartphone secretly, without showing the user, sends to the command center the mTAN received in SMS, with which the attackers confirm the transaction.

There may be variations in the scheme. For example, a link to the mobile version of the malware can be embedded directly into the bank's page in the form of a QR code. Also, some banks fix the client's IP address, and in this case the transaction is initiated by a Trojan from an infected machine, which acts as a kind of proxy. By the way, two-factor authentication is more common in Europe than in America, so ZitMo and SpitMo are more focused on the European Union. In contrast, CitMo and Carberp itself were aimed at users from Russia.

As one of the latest high-profile cases involving the withdrawal of funds, we can recall the Eurograbber campaign, disclosed at the end of 2012. According to a report by Check Point Software Technologies and Versafe, funds worth about 36 million euros were stolen from more than 30 thousand corporate and private bank accounts. During the Eurograbber promotion, another modification of Zeus was used to pair with ZitMo.

Among the latest innovations in the field of banking Trojans, experts note the appearance of a new version of the Gozi Trojan in the spring of 2013. The latest version of it, discovered by Trusteer employees, contains the functionality of the MBR bootkit. The component launched by the bootkit after loading the operating system waits for the Internet Explorer browser to start and injects malicious code into the browser's workflows, which allows you to intercept the content of HTTP requests and responses for subsequent modification.

As a more reliable protection for banking transactions, hardware devices — tokens that contain private keys for implementing electronic digital signature technology-act. However, even here cybercriminals have something to answer. You just need to get full access to the remote desktop of the victim's PC. Such access is usually organized via VNC, since the Network is full of source codes for such servers, for example, UltraVNC and TightVNC projects.

By the way, it is based on the latter that two payloads were created in Metasploit — win32_bind_vncinject and win32_reverse_vncinject. These loads are DLLs that run a VNC server on the local machine with support for direct (we connect to the attacked machine) and reverse (the attacked machine connects to us) connections. Some types of malware use their own VNC server implementation, such as Zeus and Citadel.

In addition to VNC, you can try to use "legitimate" remote administration utilities, slightly tweaking them with a file. This is exactly what the creators of the Carberp Trojan, focused on stealing bank details, do.

The products they use: in 2010 — BeTwin Thinsoft for RDP and TeamViewer, in 2011-Mipko Personal Monitor and in 2012-Ammyy Admin. Their executable modules were not modified, which made it possible to preserve a legal digital signature — at first, this was quite confusing for antivirus products.

Attackers simply created a malicious DLL with the name of one of the imported libraries, for example tv.dll for TeamViewer, and the original version was renamed (to ts.dll). Library tv.dll passed the access code to the computer to the management server and served as an adapter to ts.dll, from which the original functions were called. All components were placed in a self-written installer (dropper), which saved them in a writable directory (Application Data), and registered them in startup.

In 2010, similar things were often done with Remote Admin, and even now they sometimes ask on the forums, although everything is already burning with a bang. By the way, this method is now actively used for espionage purposes. According to the results of the analysis of the Kaspersky Lab Center for Global Research and Threat Analysis (GReAT), one of the cybercrime groups named TeamSpy Crew, It carried out a series of targeted attacks against political figures and human rights defenders in the CIS and Eastern European countries, while the "malicious" version of TeamViewer was used to organize unauthorized access.

Conclusion

As you can see for yourself, cyberstalker, there are a lot of variations of money withdrawal. And unfortunately, you should not rely on the fact that one antivirus program will protect you from these misfortunes. Only improving your computer skills can help here.

At the same time, many users underestimate this threat. In part, this is due to the shift in the focus of the Internet audience towards the malware that antivirus companies most advertise on. You don't need to go far for examples, here are two "top" words — Stuxnet and Red October. And banking Trojans — this, according to one security expert, is not relevant for Russia, they say, our RBS systems are not widely used. OK, let's drink borjomi when the kidneys have already fallen off. Such a focus on the corporate level is very unfortunate. All these stacksnets and red Octobers didn't do anything bad to a simple user, who will protect them from threats that are really relevant to them? In contrast, the target organizations and businesses targeted by Stuxnet and Red October were able to ensure their own security.

Summary: backup information, work with user rights, care when working with RBS, constant software updates from reliable sources and some antivirus with a firewall, as well as VPN, proxy, one-time mailboxes and constant improvement of your cyberbullity and skills.

 

[loki26]

would love to have someone such as yourself under my umbrella. U doin your thing me mine which would cover 1 another greatly. Only problem i see is no one trusts anyone anymore and i probadly trust too much. [email protected]