Earlier this year, we told you about the return of CryptoWall, malware that encrypts certain files in your computer and, once activated, demands a fine around $500 as a ransom to provide the decryption key. These kinds of financial fraud schemes target both individuals and businesses, are usually very successful and have a significant impact on victims. The problem begins when the victim clicks on an infected advertisement, email, or attachment, or visits an infected website.
Recently, a click fraud botnet with ties to CryptoWall has been discovered. The malware, nicknamed ‘RuthlessTreeMafia‘, has been being used to distribute CryptoWall ransomware. What first appears as an attempt to redirect user traffic to a search engine quickly mutates into an alarming threat as infected systems begin to download CryptoWall and system files and data become encrypted, rendering them useless by their owners. Click fraud and ransomware are two types of crimeware that are usually quite different from one another and typically don’t have many opportunities to join forces; therefore, the result of this unlikely yet powerful collaboration can be detrimental to its victims.
After the takedown of a major botnet, users have a “two-week window” to protect themselves against a powerful computer attack that ransoms people’s data and steals millions of dollars from unsuspecting victims.
If you read our blog, you are familiar with the dangers of the Zeus Trojan and ransomware, and how people get infected. Here’s a quick review:
1. The victim opens a carefully crafted email which is designed to look like it came from their bank or a well-known company.
2. The victim clicks on and runs an email attachment.
3. Malicious software like the one making the news now, Gameover Zeus, releases a Trojan which searches the computer for passwords and financial data.
4. Once Gameover Zeus finds what it’s seeking, cybercrooks instruct CryptoLocker, ransomware software, to hijack the computer, encrypt the files, and demand payment for it to be unlocked. To get access to your computer again, you must pay a ransom within a set amount of time.
5. Once infected, the computer becomes part of the global botnet.
The good news
Led by the FBI, agents from Europol and the UK’s National Crime Agency (NCA) brought two computer networks that used the Gameover Zeus botnet and Cryptolocker ransomware to infect up to a million computers and cost people more than $100 million under control of the good guys.
The bad news
Why the two-week window?
This window is based on the amount of time the FBI thinks they can ”hold the upper-ground against the cybercriminals.” Two weeks should be enough time for computer users to update their operating system software and security software and disconnect infected computers.
Steps to take now to protect your computer
The FBI, along with the Department of Justice, announced a multinational effort on their website that has disrupted a botnet called GameOver Zeus. GameOver Zeus has infected millions of Internet users around the world and has stolen millions of dollars.
The UK’s National Crime Agency (NCA) has worked closely with the FBI to crack down on the GameOver Zeus botnet. The NCA has given infected users a two week window to get rid of the malware and those lucky enough to have thus far been spared, the opportunity to safeguard themselves against future attacks. The two week window is an estimation on how long it will take cybercriminals to build a new botnet. The FBI has stated on their website that GameOver’s botnet is different from earlier Zeus variants in that the command and control infrastructure communicates peer-to-peer, rather than from centralized servers. This means that any infected computer can communicate controls to other infected devices. If cybercriminals build a new botnet, which will likely happen, the new botnet can resurrect dormant infected machines and continue to infect new users while stealing financial and personal information from innocent victims.
Do you really have two weeks, and what should you do?
Who knows how long it may take for a new botnet to emerge; it could appear tomorrow or in two weeks. People should not take this threat lightly and should act immediately. Read more…
There is a nasty botnet trolling WordPress sites trying to log in with the default admin user name and using “brute-force” methods to crack the passwords. Our advice to save your wordpress blog from being hacked is to change admin as the login name to something else and use strong passwords.
Matt Mullenweg, the founder of WordPress, advises the same thing on his blog. He also said to turn on the two-step authentication, which prompts you to enter a secret number you get from the Google Authenticator App on your smartphone. To make as secure an environment as you can, ensure that the latest version of WordPress is installed as well.
“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg writes to assure 64 million WordPress users.
Mac computers running the beta version of avast! Free Antivirus for Mac were not infected by the Flashback Trojan.
“We’ve confirmed our app’s detection abilities for Flashback within the test lab and with reports from our beta testers,” says Jiri Sejtko, director of AVAST Virus Lab operations.
The Flashback Trojan linked to the Mac botnet is a derivative of last year’s DevilRobber Mac OS X Trojan. The AVAST Virus Lab now has 18 variants of this malware in its antivirus database.
“With an estimated 600,000 infected Macs, this botnet is just a large example that the Apple operating system is not immune from malware,” said Jiri. “Add a growing market share that makes Mac an attractive target for the bad guys together with a user base that insists they do not need a security app – you have all the conditions in place for an epidemic to rip through.”
The latest Flashback variants can infect vulnerable Macs without requiring the victim to enter a password. “Mac malware has historically been dependent on social engineering – convincing the user to enter the required password. Now these days are over and Mac users can pick up malware just by visiting an infected website,” adds Jiri. “Welcome to the real world.”
Flashback is a logical step in Mac malware’s steady evolution, he points out. Initial malware samples were rather simple, just compiler-generated code, with no encryption whatsoever, but it has since evolved to be more “custom”, with encrypted strings and code, and structured to avoid security apps like LittleSnitch(firewall software for Mac OS) or Apple’s XProtect. During 2011, there were some large-scale attempts to spread Mac malware via Google Image poisoning.
“It takes 1-2 years for malware guys to adapt to a new technology – it took a similar time when they switched from DOS to Windows. This latest botnet did not fall out of the clear blue sky. The conditions have been building for some time and I’m glad that our security app will soon be available for Mac users,” says Jiri.
avast! Free Antivirus for Mac is currently in the late BETA stage. It includes the latest avast! antivirus engine, three shields (Web, File, and Mail) and the WebRep reputation and anti-phishing plugin for Safari browser. avast! Free Antivirus for Mac builds on the AVAST Software tradition of providing a full-fledged security app which is completely free. More details coming very soon.
Assassinscreedfrance.fr, a French fan site for the wildly popular computer game, is still infected.
For over 8 weeks, the site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise.
So far, avast! has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March.
Powered by variants of the ZeuS Trojan, this collection of botnets has stolen over $100 million from small and medium-sized businesses.
The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. Read more…