In a post I did over the weekend, I talked about the fact that malicious code was not going to go away and it's time to get rid of "username:/password:" log-in. It's not safe.
As I mentioned in that post, the most secure way to authenticate the online banking customer is to put a HomeATM 2.0 Certified PIN Entry Device in their hands. ($12) The bank issues the card, the bank issues the PIN, and now, instead of toasters, the bank issues our device. End Result?: Complete 100% secure 2FA (two-factor authentication) log-in. What that means to the banks and their customers is virtual elimination of phishing (average cost $350) no threat of DNS Hijacking, cloned cards could no longer be used and essentially no more ID Theft, thus no more emptying of bank accounts.
Now, here comes a story about a botnet called Tropig (also known as Sinowa) a hard to detect malicious code used to infect PC's and steal those very same username/password's used at financial institutions. Don't say I didn't warn you that this would happen and this is just the beginning...the worst is yet to come.
Source: Computer World Complete item: Click Here
Description:
Researchers from the University of California gained control over a well-known and powerful network of hacked computers for 10 days, gaining insight into how it steals personal and financial data.
The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as email passwords and online banking credentials.
The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions, according to the researchers' 13-page paper.
Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers.
The researchers stored the data and are working with law enforcement agencies such as the US Federal Bureau of Investigation, ISPs and even the US Department of Defence to notify victims. ISPs also have shut down some Web sites that were used to supply new commands to the hacked machines, they wrote.
Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack. If the computer is vulnerable, a low-level piece of malicious software called a rootkit is slipped deep into the system.
The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007.
Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted.
Mebroot can also download other code to the computer.
Torpig/Sinowal is customized to grab data when a person visits certain online banking and other websites. It is coded to respond to more than 300 websites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said.Hackers typically sell passwords and banking information on underground forums to other criminals, who try to covert the data into cash. While it's difficult to precisely estimate the value of the information collected over the 10 days, it could be worth between US$83,000 to $8.3 million, the research paper said.
If a person goes to a banking website, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.
Websites using SSL (Secure Sockets Layer) encryption are not safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted, the researchers wrote.
There are ways to disrupt botnets such as Torpig/Sinowal.
Editor's Note: The easiest way to disrupt the botnet is to utilize HomeATM's PCI 2.0 Certified SafeTPIN with 3DES end-to-end encryption (including the Track 2 data) and Protected by DUKPT key management. Use our device and you'll have no worries. Either that or stop shopping online!
The botnet code includes an algorithm that generates domain names that the malware calls on for new instructions.
Security engineers have often been able to figure out those algorithms to predict which domains the malware will call on, and preregister those domains to disrupt the botnet. It is an expensive process, however. The Conficker worm, for example, can generate up to 50,000 domain names a day.
Registrars, companies that sell domain name registrations, should take a greater role in cooperating with the security community, the researchers wrote. But registrars have their own issues.
URL to see the Your Botnet is My Botnet Analysis of a Takeover report :
http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html
ABSTRACT
Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected. While botnets have been “hijacked” before, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. This shows that botnet estimates that are based on IP addresses are likely to report inflated numbers. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of information from the infected victims. This opens the possibility to perform interesting data analysis that goes well beyond simply counting the number of stolen credit cards.
1. INTRODUCTION
Malicious code (or malware) has become one of the most pressing security problems on the Internet. In particular, this is true for bots [3], a type of malware that is written with the intent of taking control over hosts on the Internet. Once infected with a bot, the victim host will join a botnet, which is a network of compromised machines that are under the control of a malicious entity, typically referred to as the botmaster. Botnets are the primary means for cyber criminals to carry out their nefarious tasks, such as sending spam mails [30], launching denial-of-service attacks [24], or stealing personal data such as mail accounts or bank credentials [14,32]. This reflects the shift from an environment in which malware was
developed for fun to the current situation, where malware is spread for financial profit.
Given the importance of the problem, significant research effort has been invested to gain a better understanding of the botnet phenomenon [8, 29], to study the modus operandi of cyber criminals [19, 22], and to develop effective mitigation techniques [10, 11]. One popular approach to analyze the activities of a botnet is to join it (that is, to perform analysis from the inside). To achieve this, researchers typically leverage honeypots, honey clients, or spam traps to obtain a copy of a malware sample. The sample is then executed in a controlled environment, which makes it possible to observe the traffic that is exchanged between the bot and its command and control (C&C) server(s). In particular, one can record the
commands that the bot receives and monitor its malicious activity.
0 comments