SecureWorks Research

SecureWorks Research http://www.secureworks.com/research/ Information security Threats and SecureWorks Research Blog. New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered http://www.secureworks.com/research/blog/index.php/2010/2/8/new-banking-trojan-targeting-ach-and-wire-payment-sites-is-discovered Over the past year, the SecureWorks Counter Threat Unit (CTU)(SM) has seen criminals continue to target Automated Clearing House (ACH) and wire transfer transactions for fraud activity, resulting in high-value losses. Small to midsized businesses (SMBs) and not-for-profits have been hit especially hard. Neustar has published an excellent overview (PDF) of this type of threat. http://www.secureworks.com/research/blog/index.php/2010/2/8/new-banking-trojan-targeting-ach-and-wire-payment-sites-is-discovered Opachki Link Hijacker Trojan Analysis http://www.secureworks.com/research/threats/opachki http://www.secureworks.com/research/threats/opachki Operation Aurora: Clues in the Code http://www.secureworks.com/research/blog/index.php/2010/1/20/operation-aurora-clues-in-the-code With the recently disclosed hacking incident inside Google and other major companies, much of the world has begun to wake up to what the infosec community has known for some time - there is a persistent campaign of "espionage-by-malware" emanating from the People's Republic of China (PRC). Corporate and state secrets both have been shanghaied over a period of five or more years, and the activity becomes bolder over time with little public acknowledgement or response from the U.S. government. http://www.secureworks.com/research/blog/index.php/2010/1/20/operation-aurora-clues-in-the-code Static Binary Analysis of Recent SMBv2 Vulnerability http://www.secureworks.com/research/threats/windows-0day http://www.secureworks.com/research/threats/windows-0day Publicly Disclosed GSM Attack Surface Expanding http://www.secureworks.com/research/blog/index.php/2009/12/29/publicly-disclosed-gsm-attack-surface-expanding During the course of 2009, the amount of publicly available information on the security of GSM cellular networks and devices has steadily increased. GSM stands for the "Global System for Mobile communications" and is the world's most popular standard for mobile handsets. http://www.secureworks.com/research/blog/index.php/2009/12/29/publicly-disclosed-gsm-attack-surface-expanding The Underground Economy of the Pay-Per-Install (PPI) Business http://www.secureworks.com/research/threats/ppi http://www.secureworks.com/research/threats/ppi SecureWorks Reports Increase in Email Scams and Advises Extra Caution While Shopping Online this Holiday Season http://www.secureworks.com/research/blog/index.php/2009/12/2/secureworks-reports-increase-in-email-scams-and-advises-extra-caution-while-shopping-online-this-holiday-season In the last month, SecureWorks' Counter Threat Unit(SM) (CTU) has seen a general increase in malicious email campaigns trying to infect online users with the Zeus Trojan (one of the most pervasive financial-credential stealing Trojan) on the market. In the last three weeks, the CTU has also monitored a large increase in the number of email lists being sold on the underground hacker forums, coinciding with the start of the holiday shopping season. http://www.secureworks.com/research/blog/index.php/2009/12/2/secureworks-reports-increase-in-email-scams-and-advises-extra-caution-while-shopping-online-this-holiday-season Clampi/Ligats/Ilomo Trojan http://www.secureworks.com/research/threats/clampi-trojan http://www.secureworks.com/research/threats/clampi-trojan SANS Incident Detection Summit http://www.secureworks.com/research/blog/index.php/2009/11/25/sans-incident-detection-summit SecureWorks CTO Jon Ramsey will be participating on a panel at the SANS Incident Detection Summit December 9-10, 2009. http://www.secureworks.com/research/blog/index.php/2009/11/25/sans-incident-detection-summit FFSearcher Click Fraud Trojan http://www.secureworks.com/research/threats/ffsearcher http://www.secureworks.com/research/threats/ffsearcher ToorCon 11 a Success! http://www.secureworks.com/research/blog/index.php/2009/10/30/toorcon-11-a-success There are two things one can count on every year at ToorCon: the amazing San Diego weather and excellent presentations about new and emerging security research. This year's ToorCon 11 did not disappoint, and delivered a lot of great content and new security research throughout the weekend. http://www.secureworks.com/research/blog/index.php/2009/10/30/toorcon-11-a-success Virut Encryption Analysis http://www.secureworks.com/research/threats/virut-encryption-analysis http://www.secureworks.com/research/threats/virut-encryption-analysis Monkif/DlKhora Botnet Hiding Its Commands as JPEG Images http://www.secureworks.com/research/blog/index.php/2009/9/29/monkifdlkhora-botnet-hiding-its-commands-as-jpeg-images The SecureWorks Counter Threat Unit (CTU) has been carefully monitoring the activity of the Monkif/DlKhora botnet. This bot is an example of a Downloader trojan, in that its primary purpose is to receive instructions to download and execute other malware. The trojan also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system. http://www.secureworks.com/research/blog/index.php/2009/9/29/monkifdlkhora-botnet-hiding-its-commands-as-jpeg-images DNS Amplification Variation Used in Recent DDos Attacks http://www.secureworks.com/research/threats/dns-amplification http://www.secureworks.com/research/threats/dns-amplification Skype Eavesdropping Trojan http://www.secureworks.com/research/blog/index.php/2009/9/25/skype-eavesdropping-trojan Recently, programmer Ruben Unteregger released the source code for a Trojan that allows an attacker to listen in on a victim's Skype conversations. For approximately seven years, Unteregger has worked as a software engineer for ERA IT Solutions AG where he developed the trojan. Skype traffic is encrypted using a 256-bit AES block cipher, the kind approved by the US Government to protect "TOP SECRET" information. http://www.secureworks.com/research/blog/index.php/2009/9/25/skype-eavesdropping-trojan Downadup/Conficker Worm Removal http://www.secureworks.com/research/threats/downadup-removal http://www.secureworks.com/research/threats/downadup-removal Twitter-Based Botnet Command and Control http://www.secureworks.com/research/blog/index.php/2009/9/4/twitter-based-botnet-command-and-control Twitter is a social networking and microblogging service launched in late 2006. Once logged in, users post small updates to the site frequently throughout the day. These short update messages, known as "tweets," may not exceed 140 UTF-8 encoded characters. http://www.secureworks.com/research/blog/index.php/2009/9/4/twitter-based-botnet-command-and-control Spam Botnets to Watch in 2009 http://www.secureworks.com/research/threats/botnets2009 http://www.secureworks.com/research/threats/botnets2009 Crypto Attacks: It's the implementation stupid http://www.secureworks.com/research/blog/index.php/2009/8/27/crypto-attacks Black Hat USA 2009 brought us the latest release of Moxie Marlinspike's sslstrip tool. sslstrip is a tool for performing man-in-the-middle (MITM) attacks against TLS/SSL sessions. The previous version simply terminated the TLS connection at the MITM point and forwarded on an unencrypted connection to the client. http://www.secureworks.com/research/blog/index.php/2009/8/27/crypto-attacks Rogue Antivirus Dissected - Part 2 http://www.secureworks.com/research/threats/rogue-antivirus-part-2 http://www.secureworks.com/research/threats/rogue-antivirus-part-2