tumblr hit counter

PandaLabs Blog Everything you need to know about Internet threats

espanol

Anonymous meets real activism? #OpPayPal

All of you know that my main concern regarding Anonymous is the kind of protests they carry on. While they consider a DDoS attack a ‘peaceful protest’ the real thing is that it is a crime. However, it seems we can have some hope: Anonymous has started #OpPayPal and is asking users to close their PayPal accounts. There are a lot of messages in Twitter with the hashtag #OpPayPal, and some users are even publishing screenshots of their just closed account.

The bad news? I’m afraid they will go back to their illegal methods at any moment, and while I’m writing this I’ve just seen that members of LulzSec (related to Anonymous) could be crossing (again) the line:

I say ‘could’ because this could be a fake There is also a message in Pastebin but there is no way to guarantee it really comes fro LulzSec. Anonymous will publish a press release later today, I’ll let you know any updates.

Update, 08:53 GMT

The following release has been published through Pastebin:

Dear PayPal, its customers, and our friends around the globe,

This is an official communiqué from Anonymous and Lulz Security in the name of AntiSec.

In recent weeks, we’ve found ourselves outraged at the FBI’s willingness to arrest and threaten those who are involved in ethical, modern cyber operations. Law enforcement continues to push its ridiculous rules upon us – Anonymous “suspects” may face a fine of up to 500,000 USD with the addition of 15 years’ jailtime, all for taking part in a historical activist movement. Many of the already-apprehended Anons are being charged with taking part in DDoS attacks against corrupt and greedy organizations, such as PayPal.

What the FBI needs to learn is that there is a vast difference between adding one’s voice to a chorus and digital sit-in with Low Orbit Ion Cannon, and controlling a large botnet of infected computers. And yet both of these are punishable with exactly the same fine and sentence.

In addition to this horrific law enforcement incompetence, PayPal continues to withhold funds from WikiLeaks, a beacon of truth in these dark times. By simply standing up for ourselves and uniting the people, PayPal still sees it fit to wash its hands of any blame, and instead encourages and assists law enforcement to hunt down participants in the AntiSec movement.

Quite simply, we, the people, are disgusted with these injustices. We will not sit down and let ourselves be trampled upon by any corporation or government. We are not scared of you, and that is something for you to be scared of. We are not the terrorists here: you are.

We encourage anyone using PayPal to immediately close their accounts and consider an alternative. The first step to being truly free is not putting one’s trust into a company that freezes accounts when it feels like, or when it is pressured by the U.S. government. PayPal’s willingness to fold to legislation should be proof enough that they don’t deserve the customers they get. They do not deserve your business, and they do not deserve your respect.

Join us in our latest operation against PayPal – tweet pictures of your account closure, tell us on IRC, spread the word. Anonymous has become a powerful channel of information, and unlike the governments of the world, we are here to fight for you. Always.

Signed, your allies,

Lulz Security (unvanned)
Anonymous (unknown)
AntiSec (untouchable)

Post to Twitter

  • (27) Comments

Trojan uses Amy Winehouse death

Last week I was talking about how certain cybercriminals used social engineering techniques in order to spread their creations, and today I can show you yet another good example of this, showing how fast these guys react on any news to take advantage of the buzz.  In this case they are using the recent death of the singer Amy Winehouse. The body was found last Saturday, and the very same day the most detected malware URL was this one:

http://removed/103684policia-inglesa-divulga-fotos-do-corpo-da-cantora-amy-winehouse-WVA.exe

The name of the file (in Brazilian Portuguese) says “English Police shows pictures of Amy Winehouse body”. The next day the very same URL was again the top detected one, which shows us how effective these techniques are.  In fact this is not the first time the death of a famous person has been used to propagate malware; for example, when Michael Jackson died we could see the same kind of attacks.

This Trojan is just another banking Trojan targeting Brazilian banks. Once executed it copies itself as “googlepad.exe” and modifies the HOSTS file, so when the users try to visit some of the targeted websites he will be redirected to a fake one, where their credentials will be stolen. It does not only target financial companies, but also Hotmail users.

The Trojan is detected as Trj/Banbra.GBW.

Post to Twitter

  • (1) Comment

Brazilians, banking Trojans and social engineering

Maybe you don’t know this, but many guys here in the lab can tell you where a banking Trojan is from just taking a look at it for a few seconds. There are a number of different banking Trojan families, but it’s really easy -once you have analyzed thousands of them- to group them by origin. In the case of the Brazilian ones, there are a number of tips that can be used:

- Size of the file (yeah, I know this is pretty basic but the size of those Trojans is way bigger than the average)
- Programming language (Delphi)
- Text strings (usually Brazilian or South American banks)

And I’m only talking about the binary file. If we take a look at the distribution methods, we can obtain more leads. Unlike the rest of the world, these Brazilian cybercriminals don’t use infection kits (MPack, etc.) but only social engineering techniques, which seems to be good enough for them. One of the latest cases we have seen was using the current president of Brazil, Dilma Rousseff, as bait. They usually spread the malware via e-mail in spam messages, or in Internet forums and social networks:

In this case the downladed file is the Trojan Nabload.DUF. Taking a look at the server where the file is hosted, we were able to find one folder with a different file (another Nabload):

My Brazilian Portuguese is not great but good enough to understand they are talking about Juju, Nicole and a video. But who are Nicole and Juju? Using one of Internet’s most powerful weapons, a search engine, we find out who Nicole and Juju are:

Nicole Bahls

Nicole Bahls

Juju Salimeni

Juju Salimeni

asdasdasd

asdasdasdasd

asdasdasdasd

asdasdasdasdas

asdasdasdas

asdadasdasd

asdasdasdasdad

asdadasdasdasdas

adadasdasdasdasd

asdasdadasdasdasd

dadasdsadasdasdsad

Now I know what kind of social engineering is this one ;)

Even though the file was uploaded in April, we found some spam messages distributed in July:

Remember that we are the weakest link in security, and it doesn’t matter how many security measures we do take, there are not -yet- an antivirus for human beings ;)

Post to Twitter

  • (3) Comments

PandaLabs Report – Q2 2011

We are releasing it right now. Do you want to know what has happened in the computer security field during the last 3 months? Just click on the picture!:

Post to Twitter

  • (1) Comment

Changes are coming

Next week we’ll publish PandaLabs Report for the 2nd Quarter. This time we have made a few changes. Our team (special kudos to Txema Quintana) has changed (to better) the design of the report, making it easier to read. But this won’t be the only change.

Delivering the news in an impersonal manner is OK, but you already have –or should have– the media for that. My years of experience in the security field together with my own personal perception of the world, where personal freedom plays a pivotal role, are very much present in this report. I am not just delivering the facts, I also take the opportunity to express my views on their protagonists and their behavior.

Those who know me already know I am a very direct person. I am honest and straightforward, outspoken and opinionated, but not rude. And there is something I can guarantee: This report will not leave you indifferent. Love me or hate me, but in the end I just hope you have as much fun reading it as I had writing it for you.

Here you can read an excerpt from the report, next Wednesday (July 6th) you could download and read the entire paper:

From ‘hacktivism’ to ‘stupidism’

It seems that the only way the Anonymous group has to protest is by committing illegal acts. However, if the members of the group were smart enough, they would realize that their constant breaking of the law undermines the legitimacy of their protests. Over the last few months they have launched attacks on Sony and the websites of the U.S. Chamber of Commerce, Spain’s national police force, several governmental institutions, etc.

Moreover, they claim that their activities are ’peaceful protests’, despite their actions are purposefully enacted to cause economic loss and completely illegal. They say they represent everyone’s ‘best interest’ but are not brave enough to appear publicly, hiding instead behind their pseudonyms.

Well, if you hadn’t already had enough of Anonymous, a new hacker collective called LulzSec has emerged, whose claimed main motivation is simply ‘to have fun by causing mayhem’. In my opinion, if you took the most irresponsible and brainless members of Anonymous and put them all together, they would be considered the most refined gentlemen compared to LulzSec.

Post to Twitter

  • (1) Comment

My take on the IMF hack

This weekend, while the Anonymous people were DDoSing the Spanish Police web site in what they call “peaceful protests” (are they ignorant or just cynical?) another news came out: the International Money Found was hacked, and had been compromised for months. Shocking news :)

As soon as it was made public all media start talking about that, being in the front page of every news site. Even though there are no details on the attack, speculation started talking about a “foreign country” being behind the attack, many fingers pointing at China (as usual :) ) and talking about cyberwarfare. It makes sense that such an institution can be a target, even though 187 countries belong to the IMF they could want to have a VIP access to obtain certain information.

But it also makes sense that this is not a targeted attack. Imagine someone working for the IMF (let’s call him Dominique, just a random name) enjoyed watching hot girls, went to some website of questionable reputation ;) and tried to install some video codecs to watch some video, getting infected with a Zeus like Trojan. Since that moment, Dominique’s computer was compromised, and his personal info -well, better said ALL the information he had access to- was being stolen.

This happens everyday in thousands of computers. So we’ll have to wait until some real information is disclosed, meanwhile take care or you could be the next Dominique!

Post to Twitter

  • (4) Comments

Three members of Anonymous arrested in Spain

Last updated: 11:15 GMT+1

Spanish Police have just released a screenshot dated May 18 showing a number of targets attacked by the Anonymous group, including Spain’s Central Electoral Board and the Police Corps website. You can see the screenshot here.

The Spanish Police have announced on Twitter the arrest of “three leaders of the Anonymous group in Spain.” These arrests have taken place in Barcelona, Alicante and Almeria. According to police sources, the alleged Anonymous members were decision makers and were involved in the recent attacks. Also, police agents have seized one of the servers used in many of the attacks in Gijon (Northern Spain).

First, I’d like to congratulate the Spanish police for the arrests. We are all glad to see law enforcement efforts finally paying off and stopping criminals from getting away with their crimes. However, I am very much afraid that the fact that the ‘main leaders of the Anonymous group’ in Spain are now under arrest does not mean the group will cease its activities. We must bear in mind that Anonymous is a highly anarchic organization with no strict hierarchy. I am sure these people have taken part in the attacks -as claimed by the police-, but there is no evidence that they are actually the leaders of the group. Remember that Anonymous makes decisions collectively and they normally set actions and objectives through forums and general voting.

We are very likely to see some kind of retaliation actions from Anonymous over the next few hours, as they are used to getting away with their actions and these arrests are surely very bad news for them

Post to Twitter

  • (9) Comments

Security industry’s dirty linen

There are a lot of discussions going on about net neutrality. Kevin Townsend talked about that recently in an answer to my Freedom vs Security blog.

A big concern nowadays is how certain industries, such as the music one, are lobbying governments to protect their particular interests. I’m not going to discuss this topic today (send me your comments if you want to discuss it) but my position is crystal clear:

  • A web shutdown has to be done with warrants / legal mandates.

It’s easy, isn’t it? At the end of the day what I want is to be treated as in the “real” life. If a police officer wants to walk into my home without my consent he needs a search warrant.

In the security industry we don’t usually look at copyright violations, but to cybercriminals that want to steal people’s money and information. The fight takes place in a number of different fields, but we shouldn’t forget that we are not police officers even though we are fighting against the same bad guys.

If I find a website used to host phishing, I will:

  • Add that URL in our “blacklist” to protect my users.
  • Share the URL with the rest of vendors so they can protect their users.

Should I stop here? I could check who is the owner of the site, report it to the police, talk to the ISP hosting that site, etc.

Everyday thousands of websites shutdowns happen with no warrants or legal mandates. And Law Enforcement is not involved. Why? Well, this is just a description on how things happen:

  • Criminals are creating thousands of new malicious sites, with the only purpose of infecting users and stealing their personal information.
  • Security researchers from private companies try to stop that, as they have customers to protect. We find them, we ask the owner of the hosting place to remove it (showing proof of it.)
  • They remove it, and the criminals will look for a new place.

There are a number of variations (for example, there are bullet-proof hosting services created by criminals for criminals where it’s impossible to have removed any malicious content) but this is the main idea. But why Law Enforcement (LE) is not directly involved in this? A number of reasons:

  • The malicious site can be hosted anywhere around the globe, while LE has local jurisdiction.
  • Even if it is a local crime, it can take ages to have a warrant while people are falling there and the attack can last a few hours.
  • It may be not considered a crime in some countries.
  • Victims don’t know yet they are victims, so they don’t report it.
  • Etc.

There are even companies which main focus is to perform these shutdowns, as there are a number of companies willing to pay thousands to have those sites removed because their brand is being abused to steal their customers’ money. It’s important to note that everything is not black or white: hosting those phishing sites could be a violation of the ISP rules, and in that case it could be perfectly legal for the ISP to remove them.

There are many people supporting the idea that the end justifies the means. Of course this is not my case, but even for those that support it, it’s obvious that here we don’t get to the right end: one of the major consequences we have to face is that as LE is not involved, they can not investigate it and criminals will walk free and anonymous.

Now many of you will tell me that I should come down to earth ;) and that in real life things are not that easy. From the point of view of one of the companies that are continuously targeted, such as eBay, PayPal or hundreds of banks and credit unions, it’s easy to understand that they don’t want to wait, they want to have their users protected ASAP. They could claim that LE has not the resources to have the job done, and because of that changing the way they act nowadays would make things even more profitable for cybercriminals.

Let’s take a look at a different kind of crime that usually appears in the news: pedophilia. The same kind of actors are involved: criminals, illegal material, websites that have to be shutdown… Ask to a security researcher what happens when he finds a compromised site with this kind of material: all of them will report it to LE, and LE will act fast and coordinately. Content will be removed and people will be arrested. Everything is done with judicial oversight, as it should be done with phishing / malware incidents.

My 2 cents: there is no silver bullet, but more and better LE coordination among countries would work.

Thoughts? Should we look the other way? Should we stop shutting down malicious sites? Should we just report it to LE and forget it? Maybe we should all join and remove all politicians and try to make things with common sense? ;)

PS: Many security companies and security researches have been working for years with different LE agencies. That was for example the Mariposa case, where the Spanish Guardia Civil and the FBI were involved when they were contacted by Defence Intelligence and Panda Security. I could name a number of other cases, where companies such as Microsoft are working hard with LE, and that happens on a daily basis. But at the end of the day, we manage a huge number of cases (we are detecting 73,000 new malware samples a day!) and only in certain cases we contact LE.

Post to Twitter

  • (2) Comments

Bin Laden’s Death and the Royal Wedding: Curiosity killed the cat

It could not be any other way. The two most relevant events over the last few days are being used as bait to trick users and infect their PCs. These events are Osama Bin Laden’s death and the Royal Wedding.

The malicious file is the same in both cases, a banking Trojan seemingly originating from Brazil. In the case of Osama Bin Laden, the Trojan first tries to trick users by offering the White House’s best kept secret: the video of his death. Quite surprisingly, however, it also claims to have footage of Bin Laden alive and holding a newspaper dated after his “supposed” death. And, yes, it takes the opportunity to call Obama a liar, even in the file’s name.

And it is working. After analyzing the malicious URLs used to download malware over the last days, we’ve seen that, indeed, the links to Bin Laden’s videos appear in second and fourth place in the ranking (that is, people are massively clicking on them)

The malicious codes used are downloader Trojans belonging to the Banload family. They spread through email and social networks primarily and try to download two images from a webpage, which they later rename and run.

The second attack exploits the royal wedding between Prince William and Kate Middleton last Friday. In this case the bait is quite sensationalist: a ‘censored video of the Princess’ with an alleged ‘ex-boyfriend’ some weeks before the wedding. The malware used in this case is the same banking & downloader Trojan from Brazil.

We are glad to see that hackers stay up-to-date with the latest world news, but we are not so happy to learn that they keep exploiting them for their fraudulent activities. As always, we advise users to be very wary of this kind of content. If such videos really existed they would no doubt make the headlines on CNN or any other TV stations, they wouldn’t end up in your hands first.

In any event, if any of you have fallen victim to your own curiosity, we recommend that you scan your PC with a good free online antivirus (such as Panda ActiveScan) to make sure that this time at least, curiosity did not kill the cat”.

Post to Twitter

  • (1) Comment

Greetings from Prague

This week I’ve come to Prague to attend a couple of important meetings. Firstly there is an AMTSO meeting. This will no doubt be the most important AMTSO meeting since the organization was set up, as we are about to approve a series of changes that will affect how the organization operates. After starting out from scratch, we now have several years experience, and have produced a series of documents with highly useful recommendations for anyone wanting to test antivirus products.

One of the great concerns we have is that many members of AMTSO are antivirus developers and yet relatively few are testers, publishers, academics or end users. We have made some changes to make the organization more accessible to new members, but there is still a long way to go.

Although this is a normal reflection of the situation (there are more developers than testers), the truth is that as developers we have too much power. One of the proposals on the table is to change the voting system and create two ‘chambers’ (like a congress/senate system) where both chambers would have to approve papers, decisions, etc. This way, with developers restricted to one chamber, we could mitigate the excessive influence they might have.

In addition, the candidates to four of the seats on the Board of Directors will be presented. I am one of the candidates, so wish me luck. Voting takes place in June, I’ll let you know how my political ambitions progress ;)

To close the week, the CARO Workshop will take place on Thursday and Friday, and there will be some really interesting presentations. You can see the program here.

Post to Twitter

  • (2) Comments

  • Become a fan!


    Panda Security on Facebook
    • -->

  • Popular Posts

  • Blogroll

  • Categories