A few minutes ago, I noticed a new infected email landing in my inbox. The body of the email said: Please find Attached Invoice payment format of Marina private ltd. Thanks Marina.A.Beg Marina Private Limited Plot No. 544-J, Pace City – II Sector – 37, Gurgaon – 122 004 Haryana – Bharat That’s pretty normal […]
Question of the week: “How do I get this stupid Sweetpacks off my computer?! It’s driving me crazy!” This question didn’t come from an AVAST email, a support ticket, or even our Facebook page. It came directly from my mother as we were talking on the phone one day. Believe me, when you work for […]
Last year, security reporter Brian Krebs discovered that a group of attackers managed to compromise multiple companies, steal sensitive customer data and sell the details through an online identity theft store known as SSNDOB. The attackers broke into the networks of a number of major consumer and business data aggregators as well as a software development firm. Krebs revealed that the attackers then put the stolen data for sale on SSNDOB, allowing their customers to buy personal details belonging to US and UK citizens.
Symantec looked into the attacks conducted by the group behind SSNDOB, who we call the Cyclosa gang. During our investigations, we managed to identify one of the owners of the service who claims in online forums to be Armand Arturovich Ayakimyan, a 24-year-old man from Abkhazia. As we looked further into this case, we learned how he started as a visitor to a cybercrime forum looking for information on how to conduct attacks to operating a major identity theft operation. Not only that, but Symantec also found that the Cyclosa gang breached a number of other firms, including a Georgian government agency, a credit union and a bank.
Who is Armand?
Armand was born on August 27, 1989 in Abkhazia, a disputed territory in the Caucasus that borders Russia and Georgia. Both Abkhazia and a number of other regions nearby were beset with conflicts between 1991 and 1993. One conflict was the War in Abkhazia from 1992 to 1993, a dispute involving Abkhazia and Georgia over the region’s independence. According to our research, Armand moved from the capital of Abkhazia, Sukhumi, to the nearby Russian city of Sochi in early 2010 just before launching SSNDOB.
On one of Armand’s social media profiles, which has since been deleted, he says he is skilled in Web development and IT. He also appears to be a fan of the online role player game EVE Online.
Armand appears to have made a few career moves throughout his adult life, including working in a photo studio and becoming a sales manager for a cosmetics firm. He also considered using his technical skills for legitimate work, as he discussed creating an online dating service and a real estate website for properties in Abkhazia. However, neither of these services became a reality. In 2013, Armand appeared to be working at a church in Russia.
Armand’s early cybercrime life
Before 2007, Armand may have been involved in fraud, targeting Australian citizens’ financial details. While Armand appeared to have some abilities to conduct cybercrime, he still needed to learn more to run bigger financial scams.
In 2007, he registered an account on a cybercrime forum and asked other users for advice on how to steal people’s data through their unsecured WiFi connection. Another user told him to use a search engine to do more research on the matter, suggesting that Armand still had a lot to learn.
Towards the end of that year, Armand had started to sell stolen information, offering “fresh reports” on these forums for US$2.50. He continued to seek advice on a number of attack methods, such as how to hijack chat accounts.
In 2008, he began to explore the use of remote access Trojans to obtain information from compromised computers. He requested encryption services for the popular Pinch Trojan along with a joiner, which would allow him to hide the malware and bundle it with other programs. During this year, Armand began to target US and UK citizens, hoping to make more money in the process.
Partners in crime
At the start of 2009, evidence emerged of Armand’s partnership with three other people who used the handles “Tojava”, “JoTalbot” and “DarkMessiah” on cybercrime forums. There may be other players involved with this organization but these four individuals appear to be the main actors in this group. The four of them carried out numerous acts of cybercrime, such as conducting malware-based search engine optimization and pay-per-click schemes. They also bought and sold hijacked chat accounts, botnet traffic, and personal and financial information. Armand’s relationship with Tojava was vital for the formation of SSNDOB. Tojava was allegedly responsible for introducing Armand to the world of cybercrime and carding. We believe that Tojava created many of SSNDOB’s technical features, such as its search engine and its social security number query scripts.
Around this time, Armand said that he “found” access to a “large FTP site,” giving him a point of entry to several travel agencies’ websites. He asked other forum members for advice on how to make the most of this access. Two months later, Armand advertised the sale of a database of 75,000 to 85,000 expired Russian passports, along with FTP space or accounts and the “rights” to a compromised server. This may have been the Cyclosa gang’s first major breach of a company.
Establishing SSNDOB
Soon after the breach of the travel agencies, Armand and Tojava were seen expressing interest in opening an online identity theft store and seeking tools to check and process card payments. Along with this, the pair continued to update the Cyclosa gang’s attack capabilities, seeking malware that could wipe hard drives thoroughly enough to avoid police detection and looking into getting high volumes of US and UK botnet traffic.
By the end of the year, Armand registered SSNDOB’s first domain using, oddly enough, his real first and last name and his phone number. At the start of 2010, SSNDOB was officially open for business. It sold personal data records from US$0.50 to US$2.50 and offered credit and background checks from US$5 to US$15.
The breaches
To keep their store stocked, the Cyclosa gang had to continue to attack companies for their databases of personal data. Along with the major breaches covered in Krebs’ report, Symantec found that the Cyclosa gang compromised a number of other firms. In May 2012, the Cyclosa gang breached a US-based credit union. A few months later, they compromised a bank based in California, USA, and a Georgian government agency. While the Georgian agency may not have a lot of information pertaining to US and UK citizens, it’s possible that this attack was of personal interest to the Cyclosa gang, considering Armand’s background.
SSNDOB revealed
In March 2013, SSNDOB had a setback, as Krebs first exposed the store in an investigative report. Three days after Krebs released the article, Armand deleted his profile on European social network VK.
However, despite this, the Cyclosa gang did not stop their activities. They went on to register a new domain name for SSNDOB and compromised an employee’s computer at a Nigerian financial institution with a presence in the UK. Throughout 2013, the Cyclosa gang stole data from major data brokers, along with a software development company. Considering how the attackers’ continued to escalate their activities in 2013, this may not be the last we hear of the Cyclosa gang.
The following infographic charts the path Armand made, taking him from a one man operation to an organized cybercrime gang.
Symantec protection
Symantec has the following protections in place for the attacks mentioned in this blog:
AV
IPS
このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。
今回は2005年以来継続して攻撃被害のあるSQLインジェクションについて解説をしています。
Recientemente, varios investigadores en seguridad presentaron un documento que describe una operación larga y compleja, denominada “Operación Windigo”. Desde 2011, año en que comenzó esta campaña, más de 25,000 servidores Linux y Unix han sido comprometidos para obtener las credenciales Secure Shell (SSH) con el fin de redireccionar a los usuarios web hacia contenido malicioso y para distribuir spam. Organizaciones muy conocidas, como cPanel y Fundación Linux han sido confirmadas como víctimas. Los sistemas operativos que han sido blanco de estos ataques incluyen a OS X, OpenBSD, FreeBSD, Microsoft Windows y varias distribuciones de Linux. El documento señala que Windigo es responsable de enviar diariamente un promedio de 35 millones de mensajes spam. Adicionalmente, más de 700 servidores Web han redireccionado a más de 500,000 visitantes diariamente hacia contenidos maliciosos.
Este documento enlista tres principales componentes maliciosos (detección de nombres de ESET):
• Linux/Ebury – un backdoor OpenSSH que se utiliza para controlar servidores y robar credenciales.
• Linux/Cdorked – un backdoor HTTP utilizado para redireccionar tráfico Web.
• Perl/Calfbot – un script Perl utilizado para enviar spam.
Las consistentes campañas de los agresores se han convertido en algo común. Con los recursos adecuados, motivación y deseo, quienes atacan pueden obtener recompensas importantes por estas acciones. Dichas actividades tienen el objetivo de atacar organizaciones específicas para identificar y filtrar información delicada, pero el objetivo nuevamente ha sido económico, a través de redirecciones Web, spam y descargas automáticas.
Protección de Symantec
Los clientes de Symantec están protegidos contra el malware utilizado en la Operación Windigo con las siguientes firmas:
AV
IPS
Más información sobre la investigación acerca de la Operación Windigo está disponible en el blog de ESET.
We celebrated the 106th annual International Women’s Day with the #avastSelfie photo contest. The photo competition is over, and now it’s time to publish the winners. We have decided to award all the entries from the gallery below with the free licenses for avast! Internet Security and avast! teddy bears. Congratulations to the winners, please check your email, we […]
Last November, we found an Internet of Things (IoT) worm named Linux.Darlloz. The worm targets computers running Intel x86 architectures. Not only that, but the worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes. Since the initial discovery of Linux.Darlloz, we have found a new variant of the worm in mid-January. According to our analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm.
By scanning the entire Internet IP address space in February, we found that there were more than 31,000 devices infected with Linux.Darlloz.
Coin mining
In addition, we have discovered the current purpose of the worm is to mine cryptocurrencies. Once a computer running Intel architecture is infected with the new variant, the worm installs cpuminer, an open source coin mining software. The worm then starts mining Mincoins or Dogecoins on infected computers. By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization.
The worm’s new coin mining feature only affects computers running the Intel x86 architecture and we haven’t seen it impact IoT devices. These devices typically require more memory and a powerful CPU for coin mining.
Why Mincoin and Dogecoin?
The worm appears to aim at mining Mincoins and Dogecoins, rather than focusing on the well-known and more valuable cryptocurrency Bitcoin. The reason for this is Mincoin and Dogecoin use the scrypt algorithm, which can still mine successfully on home PCs whereas Bitcoin requires custom ASIC chips to be profitable.
New targets
The initial version of Darlloz has nine combinations of user names and passwords for routers and set-top boxes. The latest version now has 13 of these login credential combinations, which also work for IP cameras, typically used for remote monitoring of premises.
Why IoT devices?
The Internet of Things is all about connected devices of all types. While many users may ensure that their computers are secure from attack, users may not realize that their IoT devices need to be protected too. Unlike regular computers, a lot of IoT devices ship with a default user name and password and many users may not have changed these. As a result, the use of default user names and passwords is one of the top attack vectors against IoT devices. Many of these devices also contain unpatched vulnerabilities users are unaware of.
While this particular threat focuses on computers, routers, set-top boxes and IP cameras, the worm could be updated to target other IoT devices in the future, such as home automation devices and wearable technology.
Blocking other attackers
As described in a previous blog, the worm prevents other attackers or worms, such as Linux.Aidra, from targeting devices already compromised with Linux.Darlloz. The malware author implemented this feature into the worm when it was released last November.
In early January, there were reports about a back door on a number of routers. By using the back door, remote attackers could gain access to the routers, allowing them to compromise the user’s network. For Darlloz’ author, this represented a threat, so they implemented a feature to block the access to the back door port by creating a new firewall rule on infected devices to ensure that no other attackers can get in through the same back door.
Infections in the wild
Once a device is infected, Darlloz starts a HTTP Web server on port 58455 in order to spread. The server hosts worm files and lets anyone download files through this port by using a HTTP GET request. We searched for IP addresses that open this port and host Darlloz files on static paths. Assuming that the Darlloz worm can be downloaded, we tried to collect OS finger prints of the host server. The following statistics give an overview of the infection.
Figure 1. The top five regions with Darlloz infections
The five regions that accounted for 50 percent of all Darlloz infections were China, the US, South Korea, Taiwan and India. The reason for the high infections in these regions is most likely due to their large volumes of Internet users or the penetration of IoT devices.
Infected IoT devices
Consumers may not realize that their IoT devices could be infected with malware. As a result, this worm managed to compromise 31,000 computers and IoT devices in four months and it is still spreading. We expect that the malware author will continue to update this worm with new features as the technology landscape changes over time. Symantec will continue to keep an eye on this threat.
Mitigation
「Operation Windigo」というコードネームの大規模かつ複雑な攻撃活動について報告したホワイトペーパーが、セキュリティ研究者によって公開されました。この攻撃が始まった 2011 年以来、25,000 台を超える Linux/UNIX サーバーが侵入を受けて、SSH(Secure Shell)資格情報を盗み出された結果、Web にアクセスしたユーザーが悪質なコンテンツにリダイレクトされ、スパム送信を送り付けられるようになりました。cPanel や Linux Foundation といった著名な組織も被害を受けていたことが確認されています。標的となるオペレーティングシステムは、OS X、OpenBSD、FreeBSD、Microsoft Windows、そして Linux の各種ディストリビューションです。発表されたホワイトペーパーによると、Windigo は毎日平均 3,500 万通のスパムメッセージを送信しています。このスパム活動のほかに、700 台以上の Web サーバーが現在、1 日当たりおよそ 50 万の訪問者を悪質なコンテンツにリダイレクトしています。
このホワイトペーパーでは、悪質なコンポーネントとして主に次の 3 つが挙げられています(名前は ESET 社の検出名)。
悪質な攻撃者による長期的な攻撃活動も、最近では一般的になってきました。適切なリソースを持ち、何らかの動機や欲求があれば、攻撃者は労力に見合った十分な見返りを得ることができます。特定の組織を狙って、重要な情報を選定して盗み出すことを目的とする攻撃もありますが、Operation Windigo の目的は、Web リダイレクト、スパム、ドライブバイダウンロードによる金銭的な利益です。
シマンテックの保護対策
シマンテック製品をお使いのお客様は、以下のシグネチャによって、Operation Windigo で使われているマルウェアから保護されています。
ウイルス対策
侵入防止システム
ESET 社によって確認された Operation Windigo の詳しい内容は、ESET 社のブログで公開されています。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”. Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.
The paper lists three main malicious components (ESET detection names):
Lengthy campaigns by malicious attackers have become commonplace. With the appropriate resources, motivation, and desire, attackers can obtain significant rewards for their efforts. While some campaigns focus on targeting specific organizations to identify and exfiltrate sensitive information, the goal here was financial gain, by way of Web redirects, spam, and drive-by-downloads.
Symantec protection
Symantec customers are protected against malware used in Operation Windigo with the following signatures:
AV
IPS
More details on ESET’s discovery of Operation Windigo is available on their blog.
An unknown hacker taking control of a plane using an Android phone’s screen sounds like a frightening, but fictional, scenario from the next international spy movie. But, it’s one of many theories being bandied about to explain what happened to missing Malaysian Airways Flight MH370. This theory, advanced by a British anti-terror expert on Sunday, […]