The popular EC2 cloud hosting service operated by Amazon suffered a botnet attack last week, and it was revealed that the service was unwittingly playing host to a command-and-control unit for the malicious software.
A botnet formed by the infamous Zeus Trojan was found to have infected some of EC2's client sites, and spread to others through the cloud service provider. This resulted in several service outages last week, as it unfortunately coincided with power failures at an Amazon facility in northern Virginia.
Amazon told CNET that "When we find misuse, we take action quickly and shut it down...which we did in this case. Our terms of usage are clear and we continually monitor and work to make sure the services aren't used for illegal activity. We also take the privacy of our customers very seriously, and don't inspect their instances."
EC2 offers the type of highly customizable - and more importantly, scalable - cloud hosting solutions that proponents of the cloud model say will revolutionize the IT world. However, the controversy over security and reliability will only be fanned by last week's events.
Tag Archives: trojan
UK cops arrest two in Zbot Trojan case
Filed under Security News
Tagged as British, online banking, police, the Guardian, trojan, two, ZBot
Tagged as British, online banking, police, the Guardian, trojan, two, ZBot
The British Metropolitan Police took two suspected cyber criminals into custody earlier this month in connection with an investigation into the Zbot banking Trojan.
Zbot, which is also known as Zeus, is a highly sophisticated piece of malicious software, according to experts. The Trojan, which is difficult to detect with conventional anti-virus software, is capable of recording and retransmitting a wide array of personal information back to a central server, including online banking and social networking data.
Zbot can also form infected machines into a botnet, which can then be used to perform a number of malicious online actions like spam campaigns and denial-of-service attacks. Signature-based virus detection is frequently useless against the Trojan, since it can take on numerous forms.
The Guardian newspaper says that the suspects, one male and one female, are both 20 years old. They were arrested in Manchester, and are currently free on bail while the investigation continues. Police told UK media outlets that the two used Zbot to steal "millions of lines of data" from affected computers.
Zbot, which is also known as Zeus, is a highly sophisticated piece of malicious software, according to experts. The Trojan, which is difficult to detect with conventional anti-virus software, is capable of recording and retransmitting a wide array of personal information back to a central server, including online banking and social networking data.
Zbot can also form infected machines into a botnet, which can then be used to perform a number of malicious online actions like spam campaigns and denial-of-service attacks. Signature-based virus detection is frequently useless against the Trojan, since it can take on numerous forms.
The Guardian newspaper says that the suspects, one male and one female, are both 20 years old. They were arrested in Manchester, and are currently free on bail while the investigation continues. Police told UK media outlets that the two used Zbot to steal "millions of lines of data" from affected computers.
Microsoft Security Essentials detects malware that kills Windows XP
Filed under Security News
Tagged as malware, Microsoft Security Essentials, MSE, trojan, Win32/Daonol
Tagged as malware, Microsoft Security Essentials, MSE, trojan, Win32/Daonol
A new Trojan malware detected by Microsoft Security Essentials as Win32/Daonol steals credential information and redirects web traffic, Microsoft said on its malware protection blog.
The virus can protect itself by disabling anti virus software or blocking access to some websites and buggy versions of the Trojan prevent Windows XP from shutting down or rebooting.
"If you have (or someone you know has) a Windows XP system which won't boot completely (ie, shows the Windows XP splash-screen with the progress bar, but then the screen turns black and the system never starts up completely), it's likely a Daonol infection," Microsoft's Aaron Putnam said.
Windows XP runs on the majority of Windows-based systems and is still the most popular operating system in the world. Millions of XP machines have been hooked by malware and worms to form enormous botnets of zombie PCs.
Other anti virus security companies detect the Trojan Daonol as Lando, Hacktool.Rootkit and Kates. Microsoft Security Essentials and web filtering software from major security companies can detect and remove the threat.
The virus can protect itself by disabling anti virus software or blocking access to some websites and buggy versions of the Trojan prevent Windows XP from shutting down or rebooting.
"If you have (or someone you know has) a Windows XP system which won't boot completely (ie, shows the Windows XP splash-screen with the progress bar, but then the screen turns black and the system never starts up completely), it's likely a Daonol infection," Microsoft's Aaron Putnam said.
Windows XP runs on the majority of Windows-based systems and is still the most popular operating system in the world. Millions of XP machines have been hooked by malware and worms to form enormous botnets of zombie PCs.
Other anti virus security companies detect the Trojan Daonol as Lando, Hacktool.Rootkit and Kates. Microsoft Security Essentials and web filtering software from major security companies can detect and remove the threat.
Gumblar Trojan exploits Adobe Reader and Acrobat security hole
Filed under Security News
Tagged as acrobat, adobe, Gumblar, hole, reader, security, trojan, vulnerability
Tagged as acrobat, adobe, Gumblar, hole, reader, security, trojan, vulnerability
A security flaw in Adobe Reader and Acrobat is being actively exploited by cyber attackers with malicious PDFs. Security researchers at IBM's web security labs have seen a surge in attacks on this security vulnerability.
IBM researchers said on the Frequency X Blog that variants of the Gumblar Trojan are attacking security holes in Microsoft Office, web browser and Adobe products, but most of the attacks are aimed at Adobe Acrobat and Reader.
"Here in Managed Security Services, we've noticed a considerable elevation in our global hits on malicious PDF files," the IBM researchers said on the blog. "More specifically, the signature used to detect the latest Adobe Reader Remote Code Execution has picked up most of the activity."
Adobe disclosed the security vulnerabilities in its October 13 batch of security patches and recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2.
The security bulletin from Adobe on the flaw said remote code execution could allow an attacker to take control of a user system if a victim opens a PDF file infected with the virus.
IBM researchers said on the Frequency X Blog that variants of the Gumblar Trojan are attacking security holes in Microsoft Office, web browser and Adobe products, but most of the attacks are aimed at Adobe Acrobat and Reader.
"Here in Managed Security Services, we've noticed a considerable elevation in our global hits on malicious PDF files," the IBM researchers said on the blog. "More specifically, the signature used to detect the latest Adobe Reader Remote Code Execution has picked up most of the activity."
Adobe disclosed the security vulnerabilities in its October 13 batch of security patches and recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2.
The security bulletin from Adobe on the flaw said remote code execution could allow an attacker to take control of a user system if a victim opens a PDF file infected with the virus.
Hotmail passwords likely hacked, not phished, security researcher says
Microsoft said a phishing scam was the likely culprit behind last week's exposure of 30,000 email passwords from Windows Live Hotmail, Gmail and other webmail accounts. But a security researcher says the passwords were likely pilfered using data-stealing malware.
Mary Landesman, a senior security researcher at ScanSafe who has closely analyzed the list of email account passwords published by hackers on a public website last week, said the strength of most of the passwords indicates more sophisticated users than those typically duped by phishing scams.
Landesman wrote on the ScanSafe STAT blog that several characteristics of the list point to data-stealing Trojans, which can record keystrokes of PC users, not phishing scams.
An analysis by Microsoft of passwords phished from MySpace users found that 4 percent to 5 percent of the passwords were tip-offs that users realized they were being phished, with passwords like "fake" and "urhacking," according to Landesman.
But the recent cache of email passwords did not include any of this type, Landesman said.
"Certainly no one but the original thief can say for sure and thus the question of origin of the stolen data will likely never be fully answered," she said in the blog. "But as of now, data theft still seems a very likely cause."
Mary Landesman, a senior security researcher at ScanSafe who has closely analyzed the list of email account passwords published by hackers on a public website last week, said the strength of most of the passwords indicates more sophisticated users than those typically duped by phishing scams.
Landesman wrote on the ScanSafe STAT blog that several characteristics of the list point to data-stealing Trojans, which can record keystrokes of PC users, not phishing scams.
An analysis by Microsoft of passwords phished from MySpace users found that 4 percent to 5 percent of the passwords were tip-offs that users realized they were being phished, with passwords like "fake" and "urhacking," according to Landesman.
But the recent cache of email passwords did not include any of this type, Landesman said.
"Certainly no one but the original thief can say for sure and thus the question of origin of the stolen data will likely never be fully answered," she said in the blog. "But as of now, data theft still seems a very likely cause."
Skype Trojan malware can secretly record VoIP calls
Security researchers have spotted attack code published on the web that could allow hackers to secretly record audio and video sent over the Skype VoIP service. The Trojan malware called Skype.Peskyspy records Skype calls and stores them as an mp3 file for later transmission.
The Trojan injects a dll component into a Skype process and then hooks the "send" and "recv" APIs in Skype to the Trojan's own custom functions, according to web security firm Sophos.
"This allows the Trojan to extract and save the audio and video data and send it back to the attacker," wrote SophosLabs researcher Richard Cohen on the company's blog.
Although Skype secures the data while it's being transmitted between callers, the Trojan can intercept the data at the sender or receiver end.
"In this case, you yourself can be secured to the hilt, but if the person you're talking to on Skype has a Trojan installed then it's still going to steal the words right out of your mouth," Cohen wrote.
The Trojan was discovered by a major internet security firm, which reported that the Trojan is being spread via email links and social engineering attacks in spam emails and messages, according to the Tech Herald.
The Trojan injects a dll component into a Skype process and then hooks the "send" and "recv" APIs in Skype to the Trojan's own custom functions, according to web security firm Sophos.
"This allows the Trojan to extract and save the audio and video data and send it back to the attacker," wrote SophosLabs researcher Richard Cohen on the company's blog.
Although Skype secures the data while it's being transmitted between callers, the Trojan can intercept the data at the sender or receiver end.
"In this case, you yourself can be secured to the hilt, but if the person you're talking to on Skype has a Trojan installed then it's still going to steal the words right out of your mouth," Cohen wrote.
The Trojan was discovered by a major internet security firm, which reported that the Trojan is being spread via email links and social engineering attacks in spam emails and messages, according to the Tech Herald.
Will Mac OS X 10.6 Snow Leopard include antivirus protection?
Filed under Security News
Tagged as 10.6, antivirus, Mac OS X, OSX.RSPlug.A, OSX/Puper, Snow Leopard, trojan
Tagged as 10.6, antivirus, Mac OS X, OSX.RSPlug.A, OSX/Puper, Snow Leopard, trojan
Mac OS X 10.6 Snow Leopard, the newest version of the Mac operating system that goes on sale Friday, may contain an antivirus scanner application, according to several security blogs that cover Macs.
The rumor mills started working due to a screen shot showing what appears to be an antivirus scanner on Snow Leopard detecting a Trojan download from the Safari web browser. The screen shot shows the scanner identifying the Trojan as OSX.RSPlug.A.
OSX.RSPlug.A, also known as OSX/Puper, has been spotted by security researchers disguised as a Mac Cinema installer that attempts to download other malware.
According to security researchers at McAfee, the attack appears to users as a disk image, which launches an installer application for the phony Mac Cinema software. Once the installer completes its task, the user becomes infected with a script file named AdobeFlash.
Other Mac malware, known as Jahlav, has been seen in the wild posing as pirated versions of legitimate applications.
The Jahlav Trojan modifies a Mac's DNS settings, allowing Mac users to be victimized by phishing attacks or surreptitiously redirected to websites hosting malicious exploits, Trend Micro reported on its malware blog.
The rumor mills started working due to a screen shot showing what appears to be an antivirus scanner on Snow Leopard detecting a Trojan download from the Safari web browser. The screen shot shows the scanner identifying the Trojan as OSX.RSPlug.A.
OSX.RSPlug.A, also known as OSX/Puper, has been spotted by security researchers disguised as a Mac Cinema installer that attempts to download other malware.
According to security researchers at McAfee, the attack appears to users as a disk image, which launches an installer application for the phony Mac Cinema software. Once the installer completes its task, the user becomes infected with a script file named AdobeFlash.
Other Mac malware, known as Jahlav, has been seen in the wild posing as pirated versions of legitimate applications.
The Jahlav Trojan modifies a Mac's DNS settings, allowing Mac users to be victimized by phishing attacks or surreptitiously redirected to websites hosting malicious exploits, Trend Micro reported on its malware blog.
Black Hat report: ‘Clampi’ Trojan a perfect tool for identity theft
A web security researcher for SecureWorks told hackers gathered at the annual Black Hat conference in Las Vegas that a data-stealing Trojan known as Clampi is being used for one of the most sophisticated malware and identity theft attacks on the web today.
The Clampi Trojan has spread to hundreds of thousands of PCs and swipes personal information from users for draining their bank accounts. One small business in Georgia, Slack Auto Parts, lost $75,000 earlier this month due to infection by the Trojan, according to Joe Stewart, researcher at SecureWorks.
Stewart said he has identified 1,400 banking websites in 70 different countries out of roughly 4,500 bank sites being targeted by those behind Clampi for the purpose of identity theft and fraud.
Clampi's recent success in infecting PCs is accomplished by using domain administrator credentials stolen by the Trojan to copy itself to all computers on the domain. Clampi also spreads in drive-by download attacks when users visit a compromised website.
SecureWorks recommends that home computer users protect themselves online by using a separate, clean PC for online banking than the one they use to surf the web and send and receive email.
The Clampi Trojan has spread to hundreds of thousands of PCs and swipes personal information from users for draining their bank accounts. One small business in Georgia, Slack Auto Parts, lost $75,000 earlier this month due to infection by the Trojan, according to Joe Stewart, researcher at SecureWorks.
Stewart said he has identified 1,400 banking websites in 70 different countries out of roughly 4,500 bank sites being targeted by those behind Clampi for the purpose of identity theft and fraud.
Clampi's recent success in infecting PCs is accomplished by using domain administrator credentials stolen by the Trojan to copy itself to all computers on the domain. Clampi also spreads in drive-by download attacks when users visit a compromised website.
SecureWorks recommends that home computer users protect themselves online by using a separate, clean PC for online banking than the one they use to surf the web and send and receive email.
Security flaw in Adobe Flash exploited by Trojan malware
Security researchers at Symantec have identified a critical vulnerability in Adobe Flash that allows an attacker to infect PCs with Trojan malware upon opening a malicious Adobe Acrobat PDF file. Adobe acknowledged the flaw and said it is working on releasing a fix by July 30.
The Flash vulnerability affects current versions of Flash Player for Windows, Mac and Linux operating systems and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX, Adobe's security response team said on its blog.
Deleting, renaming or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a crash or error message when opening a PDF that contains SWF content, Adobe said.
Symantec warned Wednesday that the Flash bug is serious because of the widespread use of Flash across operating systems and products.
Whereas most vulnerabilities only affect one web browser or software product, Flash exists in all popular browsers and is also available in PDF documents.
"[T]herefore, the threat posed by this issue is not to be taken lightly," Symantec warned on its blog.
The Flash vulnerability affects current versions of Flash Player for Windows, Mac and Linux operating systems and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX, Adobe's security response team said on its blog.
Deleting, renaming or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a crash or error message when opening a PDF that contains SWF content, Adobe said.
Symantec warned Wednesday that the Flash bug is serious because of the widespread use of Flash across operating systems and products.
Whereas most vulnerabilities only affect one web browser or software product, Flash exists in all popular browsers and is also available in PDF documents.
"[T]herefore, the threat posed by this issue is not to be taken lightly," Symantec warned on its blog.
Erin Andrews ‘peephole video’ spreading malware
Cybercriminals are exploiting curious voyeurs hoping to watch a video purporting to show hidden "peephole video" camera footage of ESPN reporter Erin Andrews by hosting malicious web pages that contain Trojan malware, according to web security experts at Sophos.
Andrews, a popular sideline reporter for the sports cable network, was reportedly videotaped nude in a hotel room by a voyeur who posted the video on YouTube. The video has since been removed from the site.
Graham Cluley, senior technology consultant at Sophos, reported on his blog that websites spoofing CNN and other sites claiming to host the video are cropping up, which ask visitors to download a video player that is actually malware that can infect the user's PC or Mac.
Mac users who download the phony video player would be infected by the Trojan OSX/Jahlav-C while Windows users would download either the Trojan Mal/EncPk-IF or a fake antivirus program, Mal/FakeAV-AY, Cluley reported.
Cluley said hackers are increasingly setting up malicious sites that can determine if users are visiting from a Mac or PC "and serve up the right flavor of malware accordingly."
Andrews, a popular sideline reporter for the sports cable network, was reportedly videotaped nude in a hotel room by a voyeur who posted the video on YouTube. The video has since been removed from the site.
Graham Cluley, senior technology consultant at Sophos, reported on his blog that websites spoofing CNN and other sites claiming to host the video are cropping up, which ask visitors to download a video player that is actually malware that can infect the user's PC or Mac.
Mac users who download the phony video player would be infected by the Trojan OSX/Jahlav-C while Windows users would download either the Trojan Mal/EncPk-IF or a fake antivirus program, Mal/FakeAV-AY, Cluley reported.
Cluley said hackers are increasingly setting up malicious sites that can determine if users are visiting from a Mac or PC "and serve up the right flavor of malware accordingly."