More Than 60 Charged in N.Y. in Zeus Scam

The Manhattan district attorney on Thursday announced charges against 36 people in connection with the operation of the Zeus malware campaign. It’s the second major bust of suspects in the Zeus investigation this week, following the arrest of 20 people in the U.K. on Tuesday. The U.S. Attorney in New York also announced charges against 34 other people in connection with the same operation.

Stolen Digital Certificates Becoming Standard Malware Components

In the 15 years or so of serious malware production before 2010, there had been perhaps a handful of examples of malicious programs using digitally signed binaries to bypass antimalware systems. The emergence of Stuxnet earlier this year brought this tactic into the center of the spotlight, and now researchers say that the new mobile Zeus variant that is targeting Symbian and BlackBerry devices is following suit, using a stolen digital certificate to help cloak itself from security systems.


ED: Gaps in international cyber law could hamper Mariposa case DEK: The take down of the Mariposa botnet is a cyber law enforcement success story – but gaps in international cyber law could make it difficult to prosecute those behind the botnet. A researcher involved in the analysis and dismantling of the Mariposa botnet said that gaps in cyber law in the countries from which the botnet was operated may make it difficult to prosecute those accused of operating the scheme. Pedro Bustamante, a senior researcher at Panda Security in Spain said that the 20-something crew behind the Mariposa botnet, which netted more than E20,000 a month at its height, may never see jail time because of lax cyber laws in Spain and Slovenia that, among other things, don’t consider it a crime to operate a botnet. In a presentation at the Virus Bulletin Conference in Vancouver, British Columbia, Bustamanted said the take down of the Mariposa botnet, which controlled up to 12 million computers at one point, was an example of the benefits of close cooperation between IT security and anti malware firms and law enforcement. Panda was a member of the Mariposa Working Group – a law enforcement industry partnership that also included the US FBI, Spain’s Guardia Civil (GC), as well as researchers at Georgia Tech, Intel and Neustar. Bustamante said that the botnet, one of the largest ever detected, was particularly effective at leveraging MSN instant messaging accounts to spread from computer to computer – monitoring active chat threads, then inserting messages with links to a malicious drive by download Web site into those active conversations. The Working Group, set up shortly after the botnet was identified in May, 2009, proved instrumental in shutting down the command and control infrastructure that Mariposa used in December, 2009. Law enforcement officials in Spain arrested three Spanish citizens accused of being part of the DDR crew, which leased and operated Mariposa from its Slovenian creators. They also seized systems used by the crew to operate the botnet, recovering data on millions and millions of stolen account credentials, Bustamante said. However, Spanish laws may make it difficult to hold the botnet operators and could make prosecution of them difficult, Bustamante said. Despite evidence gathered by law enforcement that the group stole “millions and millions” of credentials from Mariposa-infected systems, it isn’t clear whether that evidence will be admissiable in the case, nor whether operating a botnet explicitly counts as a crime in Spain, Bustmanate said.  Similar challenges may face prosecutors in Solvenia in their attempts to win jail time for Matjaz Skorjanc, a.k.a Iserdo and Nusa Coh,the 20 somethings alleged to have created and sold the Mariposa botnet client and command and control technology. Data seized in the Mariposa case could be used to identify the entire botnet supply chain, including affiliated criminal groups renting botnets and distributing Trojan horse programs, third parties selling hacking tools like crypters and packers, and money mules who are cashing out illicit proceeds. HOwever, Bustamante said its unclear how far law enforcmeent will go in chasing down the many leads that the Mariposa case generated. “The communiation with law enforcement is one way and difficult,” he said. While clearly proof of the benefit to be had from cooperation between law enforcement and private sector companies, Mariposa may also be an example of the limits of such cooperation in the absence of universal adoption of the Convention on Cyber Crime, which harmonizes national laws on computer crime. To date, forty three nations have signed that treaty, including the United States. However, many European nations, including Spain, have not ratified the treaty. (http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=1&DF=9/2/2006&CL=ENG)VANCOUVER–The take down of the Mariposa botnet is a cyber law enforcement success story – but gaps in international cyber law could make it difficult to prosecute those behind the botnet.

The last 10 years have seen a great number of advancements in the sophistication and usability of strong encryption programs, and many people now use encrypted messaging services by default. This has made it much simpler for people to keep their private thoughts and data private and secure, and now the government is working diligently to roll back all of that progress with a naive, ill-conceived effort to cripple secure communications networks in the name of national security.

Members of LinkedIn who clicked on fake connection requests sent users to a Website that displayed “PLEASE
WAITING…4 SECONDS” before redirecting them to Google. During those 4
seconds, the Website downloaded Zeus data-theft malware onto their PCs. Read the full article. [eWEEK]

Security researcher Chris Evans has released details of the data-stealing bug in Internet Explorer 8 that he publicized earlier this month, saying that the CSS flaw can be used to force victims to post messages on Twitter and that the bug appears to be no closer to being fixed.

The world will know more about the mysterious Stuxnet virus by week’s end, after top virus researchers  reveal the findings of their post mortem on Stuxnet at the annual Virus Bulletin Conference. HED: All eyes on Stuxnet at annual virus researcher summitDEK: Researchers will reveal new details about the Stuxnet Virus at the Annual Virus Bulletin Conference in Vancouver this week. The world will know more about the mysterious Stuxnet virus by week’s end, after top virus researchers  reveal the findings of their post mortem on Stuxnet at the annual Virus Bulletin Conference. Researchers from Microsoft, Kaspersky Lab and Symantec are scheduled to reveal more than has been previously known about the mysterious virus, which was first identified in July and has been spreading steadily around the world, targeting industrial control systems manufactured by Siemens. In a joint presentation, researchers from Microsoft and Kaspersky Lab will discuss the findings of a joint analysis of The Stuxnet virus, detailing how the virus leveraged unpatched and – for the most part- unknown holes in MIcrosoft’s Windows operating system to infect and spread over computer networks. Among the questions that experts would like to answer concern the origin of the virus, its exact purpose and how it was able to spread between the protected and isolated infrastructures of some of the world’s top nuclear facilities. In a separate presentation, Liam O’ Murchu of Symantec will reveal details of his analysis of the worm’s inner workings. O Murchu is one of a handful of researchers credited with discovering Stuxnet’s use of a vulnerability in Windows Print Spooler Service to compromise and spread between networked Windows systems. Recent weeks have brought a string of sensational revelations about Stuxnet that have stoked speculation in security and political circles. Analysts long suspected that the virus, widely recognized as one of the most sophisticated threats ever to be publicly disclosed, was designed with a specific target or targets in mind and had nation-state backing. Subsequent analysis of outbreak data from Symantec in recent weeks turned the spotlight on Iran as a likely target and state sponsored hackers working for the U.S. or Israeli army as likely sources for  Stuxnet, which may have been written to quietly disable nuclear enrichment facilities in Iran – an assertation reinforced by industrial control experts and not disputed by the intelligence community.However, each week has also brought new revelations that cloud the Stuxnet picture at just the moment it seems to be coming into focus. Researchers at both Kaspersky and Symantec have publicly questioned the consensus that Iran’s nuclear facilities were Stuxnet’s clear target, citing infection data from India and other countries that rivals that of Iran. O Murchu also noted that the Print Spooler Service hole that he and researchers from Kaspersky Lab independently discovered and repoerted  to MIcrosoft’s Security Response Center had been publicly revealed almost a year earlier in the pages of Polish hacking magazine, Hackin9. O Murchu also revealed on a Symantec blog that the Windows shortcut file (LNK) vulnerability that Stuxnet used to jump from portable media devices to Windows systems was a late addition to the virus. Earlier versions of the worm had, instead, exploited the Windows AutoRun feature to infect Windows systems. That suggests that Stuxnet may have been spreading in the wild for much longer than researchers had previously believed, muddying the picture still more. The most sought after information concern the three as-yet unpatched Windows vulnerabilities used by Stuxnet. Attendees at Virus Bulletin will be looking for any details about those holes or about other Stuxnet capabilities that are as yet unknown. [researcher quote – ]

Google is expanding the set of tools it makes available to Webmasters to help them detect and remove malware infections on their sites, adding a new alert service that will let the owners of large blocks of sites know as early as possible about the presence of malicious content on any of the sites that are under their control.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.