FBI closes in on zombie PC gang

[waltky]

possum scared o' zombies...

FBI closes in on zombie PC gang
14 April 2011 - It is an unusual move for police to take over criminal machines

US crime-fighters are closing in on a gang behind a huge botnet after taking control of the criminals' servers. It is the first time FBI investigators have used such a method. The US Justice Department had to seek court permission from a judge to carry out the sting. It enabled the authorities to issue its own commands, effectively ordering the malware to shut down. It also logged the IP addresses of compromised machines.

It means the authorities will be able to notify ISPs about which machines have been infected and ISPs in turn can let victims know that their machines had been taken over. A similar approach was used last year by Dutch police as part of its shutdown of the Bredolab botnet. At the time, privacy experts questioned the legality of such a move.

Millions recruited

A botnet is a network of infected computers, also known as zombie PCs. Coreflood, the malware program prompting the FBI investigation, has been around for at least a decade and can record key strokes, allowing criminals to take over unsuspecting computers and steal passwords, banking and credit card information. It is believed to have recruited around 2.3 million machines and raked in millions for those behind it. Officials have not said where the attacks came although it appears consistent with cybercrime activity in Eastern Europe.

Investigators seized five of the botnet's servers that were controlling hundreds of thousands of infected machines. They also seized 29 domain names used by the botnet. "As a result the zombie machines in the Coreflood network are being re-routed to communicate with the server controlled by law enforcement agencies," explained Noa Bar Yosef, a senior strategist at security firm Imperva. "The 'good' server can then issue commands to stop the malware execution on the compromised machines."

BBC News - FBI closes in on zombie PC gang

See also:

Phone hacking test cases approved
15 April 2011 - Actress Sienna Miller is one of several celebrities accusing the News of the World of breach of privacy

Four test cases for alleged victims of phone hacking by the News of the World should go ahead later in the year, a High Court judge has said. Mr Justice Vos said they could include actress Sienna Miller, who has already been offered a £100,000 settlement. The cases could create framework for action from some 91 alleged victims. It comes as Scotland Yard confirmed they were considering a criminal investigation into claims journalists paid police officers for information.

The judge said the four test cases would possibly also concern interior designer Kelly Hoppen and sports agent Sky Andrew, because the investigations were well-advanced and covered a range of issues and levels of damage. The main issues were whether there was interception, how much of it went on, what was done with the information and the degree of damage suffered, Mr Justice Vos said. Outlining the advantages of holding test cases, he said the 20 cases going through the courts were generating thousands of documents. "My experience of thousands of documents is that there is just half a dozen that actually matter."

He added: "Otherwise we will be going on forever. Some people may want to but I don't," he said. Hugh Tomlinson QC, who represents a number of claimants including Miss Miller, told the judge the case was not just about money. "Damages are an aspect, but when private information is involved, the kind of relief people are looking for goes beyond simply monetary compensation," he said. The court also heard that actor Jude Law was expected to issue legal proceedings shortly.

Lawyers are still working out the extent of the phone hacking relating to Miss Miller, who has twice been in a relationship with Mr Law, first from 2003-2005. Mr Justice Vos said Miss Miller appeared in many articles in the News of the World from 2005-6 and it was a possibility they arose from phone hacking.

More BBC News - News of the World: four phone hacking test cases approved

 

[waltky]

Prob'ly Bulgaria an' Albania...

Biggest-ever criminal botnet links computers in more than 172 countries
June 29, 2011 : Cybersecurity experts say that the world's biggest-ever botnet is still operating, despite the arrests of two cyber criminals, which required coordinating law enforcement across two continents.

Computer security experts say they have detected what appears to be the world's largest-ever computer "botnet," a network of millions of computers controlled clandestinely by a criminal cyber gang with roots in Eastern Europe. No one yet knows for sure just how many million "zombie" computers are under the thrall of this still-unnamed massive botnet, but it sprawls across 172 countries, according to Unveillance, the Wilmington, Del., botnet-tracking firm that announced the discovery Wednesday.

By contrast, the huge Mariposa botnet, one of the largest ever discovered, as recently as 2009 controlled up to 12 million zombie computers in about 100 countries. Mariposa has now been neutralized by law enforcement. But this newly discovered botnet – a kissing cousin of Mariposa, built with the same "Butterfly Bot" software kit and sharing similar stealthy characteristics – has spread much farther.

"We don't know yet how many computers are part of this new network, but we can infer that it is likely to be the largest ever, based on how many countries with infected computers are connected to it and its rate of growth," says Karim Hijazi, CEO of Unveillance, in an interview. "This is a completely fresh botnet: enhanced, more advanced, and difficult to detect. We now see it has been spreading since at least 2007."

How to build a bigger botnet

 

[Ringel05]

I always said it would be great if someone could trace back to the original controller machine(s), freeing the bots as they go and mining the bad guys system of all data before sending a command that causes the bad guy's CPUs to over heat and burn up.

 

[editec]

Death to spammers & death to malicous hackers, too.

 

[Ringel05]

Here's a related story.

More than four million PCs have been enrolled in a botnet security experts say is almost 'indestructible'

The botnet, known as TDL, targets Windows PCs and tries hard to avoid detection and even harder to shut down.

Code that hijacks a PC hides in places security software rarely looks and the botnet is controlled using custom-made encryption.

Security researchers said recent botnet shutdowns had made TDL's controllers harden it against investigation.

BBC News - Security researchers discover 'indestructible' botnet

 

[waltky]

Granny says she don't see what's so 'good' about it...

Good, Old-Fashioned Theft Still Tops Cyber Crime
11/27/12 --- When it comes to getting fleeced financially, are the Internet and mobile devices getting a bad rap?

Apparently so, if you ask analysts at Travelers, the Hartford, Conn.-based insurance giant. Travelers is out with a fresh look at identity fraud cases concluding it's not online or mobile devices that fuel most fraud cases but just old-fashioned "offline methods" such as burglary, stolen wallets and stolen identifications leading to most financial fraud crimes. Such offline crimes account for 73% of all fraud cases, Travelers says, a number culled from its own database of fraud claims data. Online or data breach crimes accounted for only 15% of claims cases.

Far and away, stolen wallets and pocketbooks are the leading trigger to identity theft. Stolen driver's licenses or Social Security cards are the second-most common cause of I.D. theft; burglaries ranked third; and in fourth was cyber breaches, which have received significantly more media attention in the past few years. There's a lesson in those figures, Travelers says.

Something as innocuous as hanging on to your wallet may be your best prevention against financial fraud with building a cyber-firewall against I.D. thieves on your mobile device having a lesser role. "When everyday essentials like wallets or drivers licenses are stolen or go missing, identity fraud often follows," says Joe Reynolds, identity fraud product manager at Travelers. "Credit cards, drivers licenses and other sources of personal information enable criminals to commit a fraud or crime, all in your name."

Reynolds says that perhaps the best protection, past hanging tight to your wallet or pocketbook, is checking your monthly bank and credit card statements. "People are not always aware that someone is illegally using their identity until suspicious activity appears on their monthly financial statement," he says. "It is critical that consumers closely review these monthly documents and remember to immediately call the bank if they suspect fraudulent activity."

What else can consumers do? Reynolds and Travelers have a few thoughts:

 

[waltky]

Uncle Sam has a long reach when it comes to hackers...

U.S. charges nine in international hacking conspiracy; two extradited from UK
WASHINGTON Fri Apr 11, 2014 - Nine people have been charged in an alleged international conspiracy that used malicious software to gather bank account details and use the information to steal millions of dollars, including from accounts held at a Nebraska bank, the Department of Justice said on Friday.

Two of the defendants, both Ukrainian nationals who were living in the UK, have been extradited to face charges in Nebraska, the U.S. Justice Department said. Four other defendants, who live in the Ukraine and in Russia according to court documents, remain at large. The three other defendants have not yet been identified. A grand jury indicted the defendants in August 2012, but the indictment was not unsealed until Friday.

According to the charges, the group used Zeus malware to capture passwords and account numbers and then used that information to log into online banking accounts to steal millions of dollars. The Zeus virus is a piece of malicious software that has been widely used to steal credit card information and other financial data. The defendants were able to use the malware to beat two-factor identification systems, including SecurID, a product of the RSA unit of EMC Corp, prosecutors said. The indictment was unsealed on Friday ahead of an arraignment of the two defendants who were extradited from the UK, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36, the Justice Department said.

Prosecutors say the defendants used U.S. residents as "money mules," receiving funds transferred over the Automated Clearing House network or via other interstate wire systems from victims' bank accounts into the mules' own bank accounts. These people then allegedly withdrew some of those funds and wired the money overseas to conspirators. A lawyer for Konovalenko was not immediately available for comment. A lawyer for Kulibaba could not be immediately located for comment.

The Justice Department said the FBI's Omaha Cyber Task Force investigated the case, and was assisted by law enforcement agencies in the UK, the Netherlands and Ukraine. The charges come as the U.S. government and hundreds of business are dealing with the "Heartbleed" bug uncovered this week, which may have left hundreds of thousands of websites open to data theft. The Department of Homeland Security on Friday also warned of hackers attempting to exploit the bug in targeted attacks.

U.S. charges nine in international hacking conspiracy; two extradited from UK | Reuters

 

[XPostFacto]

Uncle Sam needs to give these hackers immunity if they will work for the government to combat other hackers. After witnessing the debacle of NMCI (Navy Marine Corps Intranet), I'm not so sure the government has any IT people with any usable expertise.

 

[waltky]

No one is safe while using the Internet...

FBI: BlackShades infected half-million computers
May 19,`14 ~ More than a half-million computers in over 100 countries were infected by sophisticated malware that lets cybercriminals remotely hijack a computer and its webcam, authorities said as charges were announced Monday against nearly 100 people worldwide.

Authorities said 97 people suspected of using or distributing the malicious software called BlackShades have been arrested in 16 countries, including the software's owner, a 24-year-old Swedish man. "This case is a strong reminder that no one is safe while using the Internet," said Koen Hermans, a Netherlands official in Eurojust, the European Union's criminal investigation coordination unit. "It should serve as a warning and deterrent to those involved in the manufacture and use of this software." U.S. Attorney Preet Bharara called BlackShades a "frightening form of cybercrime," saying a cybercriminal could buy a $40 malicious program whose capabilities were "sophisticated and its invasiveness breathtaking." FBI Agent Leo Taddeo said people suspecting they areBlackShades victims should visit FBI.gov to learn how to check computers.

Authorities said the BlackShades Remote Access Tool or "RAT" has been sold since 2010 to several thousand users, generating sales of more than $350,000. The agency said one of the program's co-creators is cooperating and had provided extensive information. BlackShades owner, Alex Yucel, arrested in Moldova last November, is facing extradition to the United States. Michael Hogue, 23, of Maricopa, Arizona - the program's co-creator - had pleaded guilty in New York after his June 2012 arrest and is cooperating, Bharara said. The malware lets hackers steal personal information, intercept keystrokes and hijack webcams to secretly record computer users. BlackShades also can be used to encrypt and lock computer data files, forcing people to pay a ransom to regain access.

The hacking tool's low cost has boosted its popularity across the hacker underground, where variants have long circulated online. Last year, security firm Symantec said use of BlackShades was rising, with program licenses costing $40 to $100. French officials said raids last week followed the FBI's arrest of twoBlackShades developers and its distribution of a list of the malware's customers. Law enforcement coordination agencies Europol and Eurojust, based in The Hague, Netherlands, said Monday that police in 13 European countries - Austria, Belgium, Britain, Croatia, Denmark, Estonia, Finland, France, Germany, Italy, Moldova, the Netherlands and Switzerland - as well as in the United States, Canada and Chile raided 359 properties and seized cash, firearms, drugs and more than 1,000 data storage devices.

In Paris, the state prosecutor's office said more than two dozen people were arrested during May 13 raids. It said those arrested were identified by the FBI as French "citizens who had acquired or used this software." In a previous BlackShades-related investigation, Dutch police this year arrested an 18-year-old man for using the malware to take pictures of women and girls within view of webcams on about 2,000 computers. A Southern California man who was sentenced in March to prison for hacking the computers of a future Miss Teen USA and other young women was not part of the case. Authorities say that he hadBlackShades on his computer, but that it wasn't clear whether he used it or another program.

AP Newswire | Stars and Stripes

See also:

Scores arrested in global sweep over RAT malware
Wed, May 21, 2014 - CYBERCRIME: Run by the organization BlackShades, the remote access tool software allows hackers to take over a computer’s camera and spy on its owner

Authorities arrested about 100 people as part of a global crackdown on malicious software used to infect half a million computers, US and European authorities said on Monday. The software, created by an organization called “BlackShades,” allows hackers to control other people’s computers remotely, recording keystrokes, stealing passwords and gaining access to their personal files. In some cases, users employed the inexpensive software, known as BlackShades’ remote access tool or RAT, to take over the computers’ cameras and spy on their owners, US officials said at a press conference in New York. They said in other cases, users sent a ransom note, requiring payment before unlocking their victims’ documents. “For just US$40, BlackShades’ RAT enabled anyone, anywhere in the world, to become a dangerous cybercriminal,” US Attorney for the Southern District of New York Preet Bharara told reporters.

In a series of raids over two days, police searched 359 homes in 16 countries in Europe and the Americas, according to Eurojust, the EU’s judicial cooperation agency. In addition to computer hardware, police in Europe seized cash, illegal firearms and drugs, Eurojust said.
A spokeswoman for the FBI said 19 different countries were involved in the investigation. The crackdown was one of the largest for cybercrime in terms of the number of arrests and countries involved, former computer crimes prosecutor Mark Rasch said.

Swedish man Alex Yucel, 24, owned and operated BlackShades using the alias “marjinz,” according to US authorities, who unsealed charges against him and four others on Monday. Yucel was arrested in November in Moldova and is awaiting extradition. It was not immediately clear whether he had a lawyer. Yucel ran the organization as a business, paying a marketing director, a Web site developer and a team of customer service representatives, court documents showed. The group’s Web site included advertisements boasting of its software’s capabilities and ease of use. BlackShades generated more than US$350,000 in sales between September 2010 and April this year, the documents said. It was not clear how much money users of the software may have stolen from their alleged victims.

The BlackShades investigation arose from a different cybercrime sting by the FBI, called “Operation Cardshop,” in which authorities created a fake Web site to entice criminals to buy and sell credit card numbers. One of the individuals arrested in 2012 as a result of that probe was Michael Hogue, an Arizona man who the FBI said is the co-creator of BlackShades’ RAT. Hogue pleaded guilty last year to two computer-related crimes and agreed to cooperate with investigators, providing crucial details about the inner workings of BlackShades, according to court documents unsealed on Monday. The prosecutor’s office said another BlackShades employee, Brendan Johnston, 23, was arrested in California on Monday. His lawyer could not immediately be identified.

Scores arrested in global sweep over RAT malware - Taipei Times

 

[waltky]

Gameover Zeus botnet used to steal banking information...

Police Target Two Worldwide Cybercrime Networks
June 02, 2014 WASHINGTON — Police agencies in the United States and around the world have disrupted two computer crime networks that officials say stole more than $100 million from thousands of people. Also, the U.S. government has charged a Russian national with a string of crimes as a mastermind in the computer attacks.

Deputy U.S. Attorney General James Cole says one scheme was called "Gameover Zeus" and its victims are spread around the world, often including small and medium-sized businesses. "Gameover Zeus is the most sophisticated and damaging botnet [network of computers that communicate with its creator] we have ever encountered," said Cole.

Gameover Zeus used malicious software to steal a victim's banking password so the criminals could take money out of victim's bank accounts. A second scheme was called "Cryptolocker." It used a computer virus to encrypt the content of a victim's computer. That meant users could not get to family photographs, tax records, emails, and other important files.

The cyber crooks demanded ransom, often in the form of hundreds of dollars worth of the cyber currency bitcoin, to unlock the computer. Officials say the scheme infected hundreds of thousands of computers and netted tens of millions of dollars in ransom. A top Justice Department official, Leslie Caldwell said law enforcement will slow this kind of criminal activity for a short time. “We fully expect that these schemes will re-emerge and will evolve as the criminals target and infect new victims," said Caldwell.

U. S. Justice Department officials have indicted (formally accused) Russian national Evgeniy Bogachev, who has not been apprehended, on charges of computer hacking, conspiracy, fraud, and money laundering. The investigation involved private computer companies around the world and authorities in many nations, including Australia, New Zealand, the Netherlands, Britain, Canada, France, Italy, Germany, Luxembourg, and Ukraine.

Police Target Two Worldwide Cybercrime Networks

 

[waltky]

Usin' infected computers to spy on hackers...

Judge lets US intercept info from hacked computers
Jun 3,`14 -- The Justice Department can continue to intercept information from 350,000 computers worldwide that are known to be infected with a data-stealing virus being spread by an alleged Russian computer hacker and his conspirators, a federal judge said.

Justice Department attorneys told U.S. District Judge Arthur Schwab the affected computers will remain linked to a government-provided substitute Internet server until the malicious software can be removed. The substitute server lets the government track the Internet addresses of the infected computers and pass them on to Internet service providers or government agencies in countries, so that computer-owners can be alerted to infections. The hackers are allegedly led by a 30-year-old Russian man, Evgeniy Bogachev, who is not in custody. The hackers infected computers with a piece of malicious software that captured bank information used to drain more than $100 million from accounts or another that locked computer files until ransom payments were made.

Tuesday's hearing on the preliminary injunction was held in Pittsburgh, where the Justice Department has charged Bogachev with siphoning more than $370,000 from a western Pennsylvania plastics firm using the virus known as Gameover Zeus. The injunction issued Tuesday extends a temporary order the judge issued last week when Justice Department attorneys notified the court of the scam in sealed documents. Since then, the government has moved to seize key computer servers in Canada, Ukraine and Kazakhstan, which were used to spread the ransom-demanding virus known as Cryptolocker. Victims included the Swansea, Massachusetts, police department, which paid a $750 ransom using the virtual currency Bitcoin to unlock its computer files.

Other businesses, including an eastern Pennsylvania assisted living company and a North Carolina pest control firm, paid $70,000 and $80,000, respectively, to have employees or computer experts fix their Cryptolocker-infected computers. Schwab issued his order based on a 28-page report filed by a Pittsburgh FBI computer expert, Special Agent Elliott Peterson. Among other things, the report says 230,000 computers had been infected by Cryptolocker since mid-2013, including 120,000 in the United States. It's unknown how many of those computer owners paid ransoms to unlock their files, the report said. The Cryptolocker servers have been "dismantled," Justice Department attorney Ethan Arenson told the judge.

Additionally, "350,000 infected computers have been liberated from the Gameover Zeus botnet" - an automated network spawned by the data-stealing virus - by connecting them to the government's substitute server, Arenson said. Those computer owners can get help removing the malicious software at a website maintained by the Department of Homeland Security, https://www.us-cert.gov/gameoverzeus . Judge Schwab granted the injunction after no one representing Bogachev or the other alleged hackers appeared in court to contest it. The judge ordered the government attorneys to file a report by July 11 to update the progress being made to fix infected computers.

AP Newswire | Stars and Stripes

See also:

Little public action in Chinese cyberspying case
Jun 3,`14 WASHINGTON (AP) -- Two weeks ago, Attorney General Eric Holder vowed to bring to a U.S. courtroom five members of the Chinese military who the U.S. accused of hacking computers for economic espionage purposes. The FBI even published "Wanted" posters with pictures of all five.

But nothing has publicly happened since then. The men have yet to be placed on a public, international list of wanted criminals. And there is no evidence that China would even entertain a formal request by the U.S. to extradite them. Short of the five men flying to the U.S. for a vacation, there's no practical way they could be arrested outside China without help from foreign governments. It's also unclear whether the charges levied by the U.S. are recognized internationally as crimes. "Our intention is for the defendants to have due process in an American court of law," Holder said on May 19.

Now, weeks later, those prospects look less likely than ever, illustrating the complex legal and diplomatic issues posed by the unprecedented indictment. There may be no viable options for Holder to make good on his word. "The next step needs to be us, here in the U.S., saying this is not just a U.S.-China issue," said Shawn Henry, former cyber director at the FBI and now president of CrowdStrike Services, a security technology company. "This is a China-versus-the-world issue." So far, the U.S. does not appear to have the world on its side. No country so far has publicly expressed support for the groundbreaking criminal charges.

Neither officials in China nor the United States said they would comment on any efforts by American prosecutors to arrest the Chinese military officers. The White House and State Department directed inquiries to the Justice Department, where spokesman Marc Raimondi said, "Our investigation is active, and we are not going to comment on specific actions to locate the individuals charged in the indictment." A federal grand jury charged the five Chinese officials with hacking into five U.S. nuclear and technology companies' computer systems and a major steel workers union's system, conducting economic espionage and stealing confidential business information, sensitive trade secrets and internal communications for competitive advantage. The U.S. and China have no extradition treaty. And China's laws preclude extraditing its own citizens to countries where there is no treaty.

China has denied the hacking allegations and wants the U.S. to revoke the indictment. "The Chinese are obviously not going to extradite their officials to the U.S.," said John Bellinger, the former legal adviser to the State Department. For this reason, Bellinger, now a partner at the law firm Arnold and Porter, said he does not expect the U.S. to make the request. "To ask them to do something that they're obviously going to then deny makes (the U.S.) look ineffectual." The U.S. can ask Interpol, the international criminal police organization, to place defendants on its "red notice" list of wanted fugitives, which would alert the 190 member countries if the men were to travel outside of China. But the five Chinese military officers weren't added to Interpol's public list as recently as Tuesday, although there were 24 other Chinese citizens on that list wanted by the U.S. on charges that included fraud, sexual assault, arson and smuggling.

MORE

 

[Ringel05]

And some people wonder why I wipe my hard drive and do a fresh OS install once a year.