Kelihos Botnet with 110,000 PCs take down finally

       Botnets are particularly insidious, using thousands of virus-infected computers which their owners are unaware are being used for sending out spam, launching denial-of-service attacks and stealing data. But taking down a botnet poses challenges. The main problem is that legitimate security companies can’t use the same type of weapons as criminals.

          A group of malware experts from security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, have worked together to disable the second version of the Kelihos botnet, which is significantly bigger than the one shut down by Microsoft and its partners.

          Kelihos is used to send spam, carry out DDoS attacks, and steal online currency such as bitcoin wallets. It operates as a so-called "peer-to-peer" bot network, which are more difficult to take down than those with a centralized command and control servers (C&C), according to Tillmann Werner, a senior researcher at CrowdStrike.

          Seculert reports that Kelihos-B, which was distributed as a Facebook worm over recent weeks, is still active and spreading - even after the shutdown attempt by CrowdStrike and Kaspersky Labs this week. The peer-to-peer Kelihos botnet, also known as Hlux, was sucked into a 'sinkhole' by a small group of security experts from Kaspersky Lab, Dell SecureWorks, CrowdStrike Intelligence Team and the Honeynet Project.

          It's unclear who is behind Kelihos, he said. It was created last October after Microsoft used a sinkhole to halt the original Kelihos botnet, which had infected about 41,000 computers. The latest Kelihos used servers with hosts registered in Sweden, Russia and Ukraine that were controlled by a botmaster, according to CrowdStrike.

     The machines are still infected, and the researchers are relying on ISPs to inform affected users. What is to say this botnet won’t just morph itself again? “That is a possibility,” said Crowdstrike’s Mr. Meyers. “But when that happens, we’ll be there to take it back down.”

Read More

A Russian Zeus attacker Sentenced from Million Dollar Fraud

 

       A Russian Hacker, who was part of an elaborate Cyber attack that used Zeus Banking Trojan in U.S. visas to move cash stolen from U.S. businesses out of the country was sentenced on March 23 to two years in U.S. federal prison.

        Nikokay Garifulin received a two-year prison term for his involvement in a global bank fraud scheme that used hundreds of phone bank accounts to steal over $3 million from dozens of U.S.accounts that were compromised by malware attacks.

 

           According to court documents and statements, Garifulin was part of a cyber bank fraud scheme, backed by Eastern European hackers to steal money from the bank accounts of small and mid-sized businesses throughout the U.S. The cyber attacks included Zeus Trojan, would embed itself in victims’ computers and record keystrokes as they logged into their online bank accounts.

          The hackers responsible for the malware then used the account information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time to accounts controlled by co-conspirators, including Garifulin, who were members of a money mule organization.

         Garifulin collected money that had been withdrawn by mules from the phony accounts in the United States and, under the direction of the organization’s leader, distributed it to other co-conspirators and transported it back to Eastern Europe. GARIFULIN also arranged for fake passports to be transferred from Eastern Europe to mules in the United States.

         In addition to his prison term, Garifulin, 23, of Volgograd, Russia, was sentenced to three years of supervised release. He was also ordered to forfeit $100,000 and to pay $192,123,122 in restitution.

Read More

Japan orders Google to remove auto-complete function over privacy complaint

          Google has been ordered to disable part of its autocomplete function in Japan after complaints it violates privacy. According to a report by The Japan Times, the court was acting on a petition accusing Google’s autocomplete feature of being defamatory.

          The petition was filed by a Japanese man (name not disclosed) who alleged that some of the autocomplete suggestions accompanying his name were not only defamatory but also breached his privacy. The unnamed petitioner, in fact, claimed that these defamatory search suggestions even cost him his job. The man came to this conclusion after discovering that when people type his name into Google's search engine, words suggesting criminal acts, which he is unfamiliar with, automatically appear. If a computer-suggested term is selected, more than 10,000 items defaming or disparaging him show up in a list, Tomita said.

          Google has so far not carried out the court's request - but said it was "reviewing the order". "A Japanese court issued a provisional order requesting Google to delete specific terms from autocomplete," the Google spokesperson said in a statement. "The judge did not require Google to completely suspend the autocomplete function."

           Google defended the system, arguing that as results were generated mechanically - rather than by an individual it was not an invasion of privacy." These searches are produced by a number of factors including the popularity of search terms," the company said.

          Google has been having a few problems with these sorts of cases. Last year when a British man was falsely accused of being a paedophile in a Google Places review the company had to pull it. The search engine also had to give in to an Indian law directing internet companies to block religiously offensive information from searches.

Read More

Return of Lulzsec, Dump 170937 accounts from Military Dating Site

        Another Hacking group after Lulzsec, comes with name LulzsecReborn has posted names, usernames, passwords, and emails of 170,937 accounts on MilitarySingles.com on Pastebin as part of the group’s Operation Digiturk. LulzSec was a major ticket item last year as the group hacked a number of high profile Web sites all in the name of the “lulz.” After their so called “50 Day Cruise,” the group broke up and went their separate ways.Hacker claim that, There are emails such as @us.army.mil ; @carney.navy.mil ; @greatlakes.cnet.navy.mil ; @microsoft.com ; etc.. in dump.

 

         In response to a query by the Office of Inadequate Security, ESingles, the parent company of MilitarySingles.com, said that there is “no actual evidence that MilitarySingles.com was hacked and it is possible that the Tweet from Operation Digiturk is simply a false claim.”. LulzSecReborn hack the site and added his deface page here, (as shown in above page) and replied “Stupid Administrator: ‘There is no evidence MilitarySingles is hacked’. Well guess what?”Commenting on the breach, the Office of Inadequate Security said: “If you know a member of the military who uses or has used the site, do them a favor and suggest they change their password on any site where they may have reused it – including their mil.gov email account.”

          In a video posted to YouTube last weekend and titled LulzSec Returns, the group says it decided to "bring back our humble hacking group and set sail towards the interwebs again". Referring to the arrests, it said these had "merely disrupted the active faction".

Read More

Facebook profiles can be hijacked by Chrome extensions malware

          Cybercriminals are uploading malicious Chrome browser extensions to the official Chrome Web Store and use them to hijack Facebook accounts, according to security researchers from Kaspersky Lab. The rogue extensions are advertised on Facebook by scammers and claim to allow changing the color of profile pages, tracking profile visitors or even removing social media viruses.

 

          The attacks manifest as suggestions to download Facebook apps. Those apps are, alas, not real. Instead they are malware and, in one case, a malware-laden Chrome extension hosted in Google's very own Chrome Web Store. To do that, they must follow a series of steps, which include installing a fake Adobe Flash Player Chrome extension. The launchpad for the fake Flash Player is a Facebook app called “Aprenda”. If Aprenda is installed it redirects users to Chrome Web Store, encouraging them to install the fake Flash extension.

          “This last one caught our attention not because it asks the user to install a malicious extension, but because the malicious extension is hosted at the official Google's Chrome Web Store. If the user clicks on ‘install application’ he will be redirected to the official store. The malicious extension presents itself as “Adobe Flash Player”, wrote Fabio Assolini. "Be careful when using Facebook. And think twice before installing a Google Chrome extension," he adds.

          Uploading multiple rogue extensions on the Chrome Web Store and running several Facebook spam campaigns to advertise them allows attackers to quickly compromise thousands of accounts. The malware operates in much the same way as other Facebook scams, such as inviting friends to install it, however the purpose of the highjacking accounts is to generate fraudulent "Likes" which are sold for about US$27 per 1,000.

          Now, the extension Assolini found was concentrated in Brazil, where Chrome enjoys 45% of the browser market and Facebook is by far the most popular social network. That does not, however, mean that the problem is isolated to Brazil. The malicious extension was installed in numerous countries, including the U.S. With these potential security risks in mind, "Think twice before installing a Google Chrome extension".

Read More

Facebook Profile Viewer rogue application spreads on social network

          A rogue application which claims to allow you to see who has viewed your Facebook profile is spreading between accounts on the popular social network. Messages claiming that Facebook has issued a new update which allows you to check who has visited your profile are making the rounds.

New Update from facebook. Now you can check who visited your profile. check here -------->>>FAŒBOOK PROFILE VIEWER ®<<<<------
Who Watching your Profile ?

          If you are intrigued by the Facebook Profile Viewer enough to click on the link, you are asked to permit an application to access your profile. You should always be very careful, of course, about allowing applications to read and write to your

          Facebook profile. And this time is no exception. Because although at first you may believe that the application is showing you the details of people who have viewed your profile..

..behind the scenes, it is posting a message to your Facebook page without your explicit permission, encouraging others to also use the application.

          Clearly rogue applications like this could be used for scooping up personal information, or spreading spam and scams across the social network. So if you fell for it, remove the messages from your timeline, revoke the app's publishing rights and report it as spam to Facebook, and ensure that you have revoked its access to your account.

And remember this - Facebook does not give you any way to find out who has been viewing your profile. Any application or link which claims it can reveal to you who has should be treated with great suspicion.

Read More

Breaching Hundreds of KPN Servers

          Dutch Police Arrest 17-year-old Suspected of The Dutch High Tech Crime Team has arrested a 17-year-old suspected of compromising customer account data on hundreds of servers belonging to telecommunications operator KPN. The teenager was arrested last Tuesday in the Dutch town of Barendrecht, where police seized an encrypted computer, two laptops and other storage media including external hard drives, DVDs and USB sticks, the Dutch Public Prosecution Service announced on Monday.

          "He has made a confession," said Wim de Bruin, spokesman for the Public Prosecution Service.
The arrested teenager called himself "xS", "Yoshioka" and "Yui" online, and is suspected of breaching the security of hundreds of KPN servers last January, compromising user data and damaging KPN's infrastructure, said the Prosecution Service.

          KPN, the biggest telecom operator in the Netherlands, was forced to overhaul its systems to get rid of installed malicious software after the hack was discovered. The National Cyber Security Center of the Netherlands also assessed the security breach and concluded that national security was not compromised.In the wake of the hack, KPN suspended access to 2 million email accounts and asked users to change their passwords, after account details of KPN customers were leaked on Pastebin in early February. The KPN data that appeared online was filtered from the captured database.

          The arrested teenager was followed online for weeks and the Dutch police collaborated closely with the Cyber Terror Response Center in South Korea and the Australian Federal Police, according to the Prosecution Service. A person using the aliases "Yui", "Yoshiaka' and "xS", appeared to have bragged about the KPN hack in a chat channel for students at the Korea Advanced Institute of Science and Technology (KAIST), the prosecution said.

          Besides hacking KPN the 17-year-old is also suspected of hacking computers at KAIST and at Trondheim University in Norway, and of breaching the security of Tokohu University in Japan. He is also thought to have been running a website used for selling stolen credit card data, according to the prosecution.
According to De Bruin the teenager did not confess to the other allegations. "Those are still being investigated," he said.

          After the teenager's arrest, a judge ruled that he was to be kept in custody for at least two weeks. After that period, the Prosecution Service will assess if he has to be kept in custody, or can be freed until his trial. The suspect has legal support from a solicitor and was visited by the Dutch council for child protection, said the Prosecution Service. According to De Bruin, the maximum penalty the teenager faces is two years in prison. The maximum penalty is reduced due to his age. "For an adult the maximum penalty would be six years imprisonment," De Bruin said.

           In the wake of the hacking, KPN said last week it will appoint a Chief Security Officer (CSO), and later this year will set up a permanent control center to monitor its systems. The company has replaced the compromised systems and will spend months checking the security of all its other systems.

Read More

Justin Bieber's Twitter account - hacked!

          Lend a little sympathy to pop star Justin Bieber today, after his Twitter account was hacked and an unauthorised message was sent to his 19 million fans.

19 million my ass. #biebermyballs

          Fortunately the message was rapidly deleted, and it appears that the account was compromised more to spread embarrassing graffiti rather than with more malicious intention. Just imagine how much worse things would have been if millions of Justin Bieber fans had seen a tweet from their hero offering, say, free concert tickets - and the link had really pointed to a website designed to strike their computers with malware.
That's not to say that the hacker didn't do any serious damage at all, of course. According to reports whoever broke into Justin Bieber's Twitter account, also began to unfollow and block some of the folks that the Canadian singer follows.

          If you're one of Justin Bieber's many fans, please learn something from your idol's misfortune. Always choose a strong, secure password for your Twitter account and make sure that you are not using it on any other websites, and never share it with anyone else.

          Furthermore, be careful that you only log into your Twitter account from a computer that is properly protected with up-to-date anti-virus software and security patches - in other words, maybe you shouldn't trust that computer in a hotel lobby or your friend's PC. Keylogging spyware can grab your password without you knowing, and pass it onto malicious hackers.
And remember that just because a Twitter account is "verified", doesn't necessarily mean you can trust every message that is posted to it.

Read More

User IDs and Clear-Text Passwords Leaked from US Army’s CECOM

          Black Jester, the hacker who yesterday demonstrated that he managed to gain unauthorized access to a NASA site, leaked sensitive contract information from a site connected to the US Army Communications and Electronics Command (CECOM).

           A number of 30 record sets that include names, user IDs, physical addresses, email addresses, telephone numbers, and clear-text passwords were published in a Pastebin document. “Old crappy server, but has good info inside it. The list is not complete due the lazy condition and msaccess db , enjoy!” the hacker wrote next to the data dump.

           The Pastebin post doesn’t contain the name of the site from where the data was leaked, but the hacker provided us with the IP address associated with it. That IP address led us to a Software Engineering Services site on which only “eligible users” may register.

           We couldn’t reach the hacker for further comment, but he told us on a different occasion that the names of such sites would not be disclosed to the public to prevent “script kiddiez” from breaching them.
We have sent an email to the webmaster of the site in question and notified him on the incident, but so far we haven’t received any response.

           Black Jester is known in the hacker community as the one who wanted to help the United Nations patch up a couple of its public websites. Instead of doing what most security researchers do in this situation and send an email, he went down to their offices in person.

           His other hacks, which he claims are unrelated to the UN incident, targeted NASA and a Qwest datacenter, whose servers he held hostage with the purpose of forcing the company to patch up the vulnerabilities.

Read More

Carberp Banking Trojan Scam - 8 Arrested in Russia

     8 Men suspected of being involved in the Carberp phishing scam have been arrested in Russia. The men were arrested after a joint investigation by the Russian Ministry of Internal Affairs (MVD) and Federal Security Service (FSB).

    According to the MVD, the investigation found that two brothers were the ringleaders of the gang, and developed a plan to steal money from the accounts of online banking customers. The eight suspects allegedly stole more than 60 million Rubles ($2 million) from 90 victims using the Carberp Trojan.

     Russian security firm who assisted with the investigation, pegged the stolen loot at 130 million Rubles ($4.5 million). Police confiscated computers, bank cards, notary equipment, fake documentation, and more than 7 million Rubles ($240,000) in cash during the raid.

     The gang used the Carberp and RDP-door Trojans to snare victims. Carberp is a well-known Trojan that was recently seen on Facebook as part of a scam where attackers notify Facebook users that their accounts are temporarily locked. All they had to do to get them back was provide their first and last names, email addresses, dates of birth, passwords, and a 20-euro Ukash voucher.

     The suspects will be accused of creating, using and disseminating of harmful computer programs, theft and illegal access to computer information and, if convicted, could be jailed for up to 10 years. In addition to bank fraud, the gang was also involved in distributed denial-of-service attacks, the security firm found.

Read More

Mystery of Duqu Programming Language Solved

       An appeal for help from the programming community has allowed antivirus analysts to classify the unknown language used to develop key components of the Duqu Trojan. The sections responsible for downloading and executing additional modules in the Duqu Trojan, referred to by some as Stuxnet 2.0, were written in standard C++.

 

          Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.

       Kaspersky’s Igor Soumenkov wrote, “No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers,”.

Kaspersky’s analysis now concludes:

• The Duqu Framework consists of “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″
• The code was most likely written with a custom extension to C, generally called “OO C”
• The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension
• The C&C code could have been reused from an already existing software project and integrated into the Duqu Trojan

      The Duqu Framework may have been created by a different programming team, since it is unique to Duqu, unlike many parts of Duqu that seem to be directly borrowed from Stuxnet. It’s believed that the developers are old school that don’t trust C++ and that’s probably why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++. 

           Knowing the techniques used to develop the malware allows Kaspersky's researchers to make better guesses about who might be behind the code. Creating Duqu was a major project, so it’s possible that an entirely different team was responsible for creating the Duqu Framework, while others worked on creating drivers and system infection exploits. In this scenario it's even possible that those who created the Duqu framework were ignorant of the real purpose of their work.

          Duqu was first detected in September 2011, but Kaspersky Lab believes it has seen the first pieces of Duqu-related malware dating back to August 2007. The Russian security firm also notes Duqu, like Stuxnet before it, is highly targeted and related to Iran’s nuclear program.

Read More

The Pirate Bay plans Low Orbit Server Drones to beat Censorship

          One of the world’s largest BitTorrent sites “The Pirate Bay” is going to put servers on GPS-controlled aircraft drones in order to evade authorities who are looking to shut the site down. In a Sunday blog post, The Pirate Bay announced new “Low Orbit Server Stations” that will house the site’s servers and files on unmanned, GPS-controlled, aircraft drones.

TPB said:

          With the development of GPS controlled drones, far-reaching cheap radio equipment and tiny new computers like the Raspberry Pi, we’re going to experiment with sending out some small drones that will float some kilometers up in the air. This way our machines will have to be shut down with aeroplanes in order to shut down the system. A real act of war.

 

          We’re just starting so we haven’t figured everything out yet. But we can’t limit ourselves to hosting things just on land anymore. These Low Orbit Server Stations (LOSS) are just the first attempt. With modern radio transmitters we can get over 100Mbps per node up to 50km away. For the proxy system we’re building, that’s more than enough. Low earth orbit is 100 miles up and requires a launch vehicle capable of achieving speeds of 17,000 miles an hour. At “some kilometers up in the air,” these drones would require significant power to stay afloat, and that’s even before the power required to transmit megabits per second over a wireless connection. The LOSS are already in development, writes the blog from TPB. 

 

          As you might wish to solve the energy problem, you have not thought about it well. And that will probably be the weak point. In the air it is hardly the drones now at least can fill up with energy. You will need to load them somewhere where they will be charged. By then, the authorities can access and turn off the drones easily

Read More

Samsung Rolls Out Ice Cream Sandwich for the Galaxy S II

After a very long waiting period, Galaxy S2 owners have a sign of relief as Samsung has finally rolled out the latest Android 4.0 Ice Cream Sandwich update for the Samsung Galaxy S II smartphone. The official announcement was made via the company’s Samsung Tomorrow blog stating that the update will initially be available in Europe, with Poland, Hungary and Sweden mentioned specifically, as well as in Korea. This initial phase will make way for a wider roll out soon after.

 The update to the latest version of the Android OS is done using Samsung’s Kies software. However, users who wish not to wait any longer can follow the instructions on the XDA developers forum to manually update their Samsung Galaxy S2 smartphones.

JK Shin, President of Samsung’s IT and Mobile Communications Group, says -

We expect that our customers will enjoy an enhanced experience with their Galaxy device through this upgrade. Samsung is committed to satisfying our customer needs.

Samsung also made a public announcement on its Samsung Mobile’s Facebook page. Moments later, the announcement brought in over 700+ comments from fans and users of the Samsung Galaxy 2 smartphone.

Read More