Creating malicous PDF files

June 2, 2008 – 1:10 PM

Yesterday’s post discussed a mystery PDF file that was boopytrapped to drop a backdoor.

Today we’ll look at how these documents are created.

Here’s an example of a tool called Y08-04 aka GenMDB.

genmdb

When run, it displays this user interface:

y08-04

The apparent purpose of this tool is to create trojanized PDF files. You select which EXE you want to embed, which PDF file you want to trojanize and which platform you expect the victim to be using.

Cool. Now, the real question is this: How an earth did we get our hands on such a tool?

You’d never guess it.

We received it inside a trojanized PDF file.

Here’s what we believe happened:

Someone, somewhere was using this tool for the first time.

They did a test run, selecting a random PDF file and a random EXE to create trojanized PDF, just as a test.

As a random EXE, they selected – wait for it – GenMDB.EXE itself!

Then the perpetrator was probably curious to find out if the trojan PDF would be detected by virus scanners or not.

So he uploaded the trojanized PDF to a an online scanner.

Hey, thanks. Keep up the good work.

Source: F-Secure Blog

Beware of Error Messages At Bank Sites

June 2, 2008 – 11:39 AM

If you own or work at a small to mid-sized business, and are presented with an error message about data synchronization or site maintenance when trying to access your company’s bank account online, you might want to give the bank a call: A criminal group that specializes in deploying malicious software to steal banking data is presenting victims with fake maintenance pages and error messages as a means of getting around anti-fraud safeguards erected by many banks.

Dozens of banks now require business customers to log in to their accounts online using so-called “two factor authentication” methods, which generally require the customer to enter something in addition to a user name and password, such as a random, one-time-use numeric code generated by a key fob or a scratch-off pad.

But one of this past year’s most prolific cyber gangs — which targets virus-laden e-mail attacks against specific individuals at small to mid-sized businesses — has devised a simple but ingenious method of circumnavigating these security measures. When a victim whose PC is infected with their data-stealing malware attempts to log in at a banking site that requires two-factor authentication, the fraudsters modify the display of the bank site in the victim’s browser with an alert saying “please allow 15 to 30 minutes for your request to be synchronized with our server.”

By intercepting the victim’s password along with the one-time code – and assuring that the victim will never be able to use that one-time code – the thieves can quickly use the one-time code to log in as the victim and proceed to drain the bank account.

Read the rest of the story…

A quarter of US PCs infected with malware

June 2, 2008 – 10:27 AM

An OECD study into online crime says that increased activity by cyber criminals has left an estimated one-in-four US computers infected with malware.

The report, entitled Malicious Software (malware): a Security Threat to the Internet Economy, gives an impression of two worlds engaged in an uneven war of virus invasion and belated defence.

Cyber crime, to steal data, spy and attack government and business computer systems “is a potentially serious threat to the internet economy,” the study, published on Friday, warns.

Organisations involved in “fighting malware offer essentially a fragmented local response to a global threat,” the Organisation for Economic Cooperation and Development says.

“Over the last 20 years, malware has evolved from occasional ‘exploits’ to a global multi-million-dollar criminal industry … Cyber criminals are becoming wealthier and therefore have more financial power to create larger engines of destruction.”

“It is estimated that 59 million users in the US have spyware or other types of malware on their computers,” the OECD report said.

According to Nielsen/Netratings, the US internet population stood at an estimated 216 million at the end of 2007.

In the last five years there has been a upsurge in such criminal activity to attack systems and steal information, money and identities.

Using agents with names ranging from “zombies” and “worms” to “botnets,” “Trojan horses” or “money mules,” criminals can wreak havoc, usurping identities, recruiting and organising cohorts of computers for coordinated attacks, and even steal data for ransom.

Read the rest of the story…

US bank loses details of 4.5 million customers

June 2, 2008 – 10:15 AM

The Bank of New York Mellon Corporation has admitted to misplacing the details of 4.5 million customers, following the loss of a data tape earlier this year.

The backup tape went missing on 27 February while being transported to an off-site archive by a third-party vendor. The lost data includes the names, birthdates and social security numbers of customers of the Bank of NY Mellon and the People’s United Bank in Bridgeport, Connecticut.

The bank said it believes that none of the lost data has been affected, and that it has begun contacting affected parties.

Source: Vnunet

Beauty contest winner becomes latest victim of online fraudsters

June 2, 2008 – 6:26 AM

IT security and control firm Sophos is reminding computer users about the risks of identity theft and online fraud following news that Jade Saunders, the current beauty contest winner in the British seaside town of Scarborough, has fallen foul of an email phishing scam.

The twenty year old student, who was crowned Miss Scarborough in April this year and who is also a semi-finalist for Miss England 2008, had clicked on a link in an email purporting to be from her bank which took her to a genuine looking website. By entering her details on this convincing fake site, designed to con trusting web users into entering their account information, Jade was providing devious cybercriminals with all they needed to set up a standing order on her account for £10,000 (approximately US $20,000).

Sophos experts remind computer users that they should never respond to emails that request personal financial information and check that the websites they are visiting are secure.

“Although these phishing attacks are nothing new, sadly Miss Scarborough is unlikely to be alone in her misfortune,” said Graham Cluley, senior technology consultant for Sophos. “According to the Anti-Phishing Working Group, phishers are able to convince up to five per cent of recipients to reply to the kind of email sent to Jade, but this needn’t be the case if simple habits are learnt. Reputable companies don’t ask their customers for passwords or account details in email, so even if you think a message from your bank may be legitimate, don’t follow any links, instead visit your bank’s website by typing its address into your web browser.”

Read the rest of the story…