The Italian Honeynet Project

THN : The Hacker News. : A Russian cybergang headed by a mysterious ringleader called ‘Soldier’ were able to steal $3.2 million (£2 million) from US citizens earlier this year using the SpyEye-Zeus data-stealing Trojan, security company Trend Micro has reported and Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered. The methodology sounds familiar for those familiar with ZeuS Mitmo and SpyEye Spitmo: infected computers inject a message into targeted netbanks prompting their customers to install software on their phones. Once Spitmo is installed, the SpyEye attacker is able to monitor incoming SMS and to steal MTAN authentication messages.

“His botnet was able to compromise approximately 25,394 systems between April 19, 2011 and June 29, 2011. And while nearly all of the victims were located in the US, there were a handful of victims spread across another 90 countries,” it said in a blog post.

[…]

 

The first version of ZeuS-in-the-Mobile (ZitMo), malware which targets mTANs, was discovered in the end of September 2010. In that case it was targeting Symbian smartphones. Later on, ZitMo versions for Windows Mobile and Blackberry were found. It comes as no surprise that cybercriminals have created new and sophisticated pieces of mobile malware for Symbian and Windows Mobile; more surprising is that Blackberry devices were also targeted; and even more surprising is that until July 2011 there was no evidence of ZitMo for Android’s existence. And now please ‘welcome’ ZeuS-in-the-Mobile for Android. [..]

[..]  now we have ZitMo targeting 4 platforms: Symbian, Windows Mobile, Blackberry and Android

via ZeuS-in-the-Mobile for Android – Securelist.

Security researchers have identified a Zbot component designed for Android which steals mobile transaction authentication numbers send by banks via SMS.ZeuS, aka Zbot, is one of the most popular banking trojans. Even though the original author of the malware has retired, the source code is available online for anyone to modify and fit it to their needs.Zbot originally targeted desktop systems and stole financial information and online banking credentials which fraudsters exploited.

via Zbot Targets Android Users – Softpedia.

The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware.

via TDL4 – Top Bot – Securelist.

About 1,500 customers of internet service provider Virgin Media have been warned that their PCs are infected with a malicious virus.[..]

Virgin is understood to be the first UK ISP to give specific warnings about viruses based on SOCA’s advice. [..]

Virgin company stressed that it had not been monitoring user activity, rather some of their customers’ IP addresses were found by law enforcement while investigating criminal botnets.[..]

via BBC News – Virgin alerts infected customers.

Hi there,

I’d like to announce that our yearly annual report has just been published.

In addition, in our repository you can find the slides of the talks that I had at the Honeynet annual workshop.

enjoy.

It is with great pleasure I announce the first-ever Honeynet Project Public Conference, held alongside with the traditional Honeynet Project Annual Workshop. The event will be held on March 21, 2011 in Paris. For those who just want to register now, go here.

Date: 21 March 2011 (Monday)

8:30AM ~ 18:00PM (GMT+1)

Location:

ESIEA Paris, 9 rue Vesale 75005 Paris

(Nearest subway station: Les Gobelins(line #7))

About the event:

The 2011 Project Honeynet Security Workshop brings together experts in the field of information security from around the world to share the latest advances and threats in information security research. Organized by the not-for-profit Honeynet Project and co-sponsored by the ESIEA Engineering School, this full day workshop creates opportunities for networking, collaboration and lessons-learned featuring a rare, outstanding line-up of international security professionals who will present on the latest research tools and findings in the field.

This year’s workshop will be held in Paris, France on 21 March 2011 and is the first time that the workshop has opened a day to the public. Starting at 9:00 GMT+1, the workshop program features a format that includes presentations in five sessions and two bonus hands-on activities. The bonus activities include a technically challenging capture-the-flag (CTF) session and a tough forensics challenge (FC) that will allow attendees to apply their expertise and compete for prizes. If you’re looking to attend a high quality and challenging security workshop, then we encourage you to take advantage of this rare opportunity.

More info here.

Enjoy!

Last week ENISA has released two interesting documents totally dedicated on the Botnet threat.
We’re glad to notice that Dorothy has been mentioned in the “Botnets: Measurement, Detection, Disinfection and Defence” report

These documents were also presented last week during a dedicated workshop hosted in Cologne, where different experts from various sectors has attended the event.

We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users’ digital – and online monetary – assets. We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed.

[..]

The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate. We believe that these functions and protocols will continue to evolve in the near future, and that our analysis of the malware’s functionality may not be 100 per cent complete as the code writers continue to refine it.

[..]

via New Financial Trojan Keeps Online Banking Sessions Open after Users “Logout” | Trusteer.

We’re glad to announce that this week we’ve made an important step toward the first beta-release of the new Java-Dorothy-Drone (aka JDrone) !

Patrizia Martemucci  (the main author of the JDrone) has just uploaded the last version of the code that fixes the concurrency problem that we’ve encountered while managing several drones for the same C&C.

Right now, we’re running a preliminary test phase, by monitoring some IRC botnets using different drones simultaneously, and we are collecting interesting results .

Anyway, some things are still missing, but we are working hard for fixing everything asap.

Stay tuned

m4rco-