From SecurityFocus,

“On Monday, the Nevis, West Indies, company, its founder and two senior directors all agreed to plead guilty to various charges related to money laundering and the operation of an unlicensed money transfer business. The agreement ends a nearly four-year investigation into the company and its digital currency service, which — because of the anonymity it provided account holders — became a popular method for cybercriminals to turn ill-gotten proceeds into clean cash.”

E-Gold is the preferred method of payment on all the underground marketplaces we monitor. Does anyone without a court order or warrant have any idea the volume of exchanges (from real to virtual currency and back) they perform? They get a cut both ways. With almost 7 million grams of precious metal in stock, they can back a huge volume of transactions. When E-Gold is bought, part of that stock is used to back it, but it’s released again when E-Gold is exchanged for real currency.

At the end of the day, it looks like E-Gold will continue to operate regardless of the guilty pleas and I doubt they will do much to stem the exchange of ill-gotten gains through their service. If they change their operations so that anonymity is no longer an element of the service, the criminals will just do what they do at other, less convenient services: they’ll lie about who they are.

A federal judge has ordered spammers to pay more than $2.5 million for violating federal laws including the CAN-SPAM Act. SecureWorks provided expert testimony including an analysis of spam messages and an explanation of the methods used to send the spam.

This is the first case of its kind involving “web form hijacking” or, technically, the abuse of open HTTP-to-SMTP proxies.

Forms on websites are often used to initiate email messages to people who handle feedback, customer service, and order fulfillment. Spammers have figured out how to hijack these forms and use them to send their messages to as many recipients as they wish. Recipients often mistakenly believe the company whose website was hosting the vulnerable form is endorsing the advertised products or services. Meanwhile, the company’s reputation is damaged and legitimate business traffic from their networks could be blocked as a result of the unintentional association with the spammer.

In this case, Sili Neutraceuticals, LLC and Brian McDaid operated as Kaycon, Ltd. and used web form hijacking to send spam messages which U.S. District Court Judge David H. Coar agreed violated CAN-SPAM. The spammers also violated the FTC Act by making false and unsubstantiated claims regarding the Hoodia weight-loss and the HGH (human growth hormone) anti-aging products promoted in the spam messages and on their website.

Based in part on the assistance provided by SecureWorks, an injunction against the defendants’ operations was issued, their assets frozen, and a default judgment was entered against the defendants for $2,569,851.77. SecureWorks is honored to have had the opportunity to assist the FTC in its mission of protecting America’s consumers.

See the FTC news release here

Other files related to this case can be found here

The Peacomm (Storm Worm) botnet is known to launch DDoS attacks against networks which appear to be investigating the botnet — the cyber equivalent of explosive reactive armor. It is still unclear whether the decisions to launch an attack are made by the botnet, a human operator, or both. In exploring this, SecureWorks was able to compile and analyze information regarding timing and types of traffic that may help victims of these distributed denial-of-service attacks mitigate the impact.

If triggering an attack is a decision made by the botnet that logic would be on the C&C (command-and-control) servers. Researchers have found no code in the Trojan client-side executable for triggering a DDoS attack.

The attacks do show signs of being automated. Certain actions reliably trigger attacks. Investigators who can withstand the onslaught and have decided to test their theories (with cooperation from their ISPs, of course) can reliably trigger DDoS attacks on themselves. In one case, probing more than four unique Peacomm botnet HTTP proxies within ten seconds results in a flood of TCP SYN and ICMP packets, which last for about two hours. That’s all fairly regular.

The general characteristics of the DDoS traffic are as follows:

1. ICMP packets are echo requests (pings, icode:0 and itype:8) less than 50 bytes with payloads like:

002A                                 61 62 63 64 65   66            abcdef
0030   67 68 69 6a 6b 6c 6d 6e  6f 70 71 72 00 00 84 a2    ghijklmnopqr....
0040   d4 00 7c a2 d4 00 4c a2  d4 00                      ..|...L...

2. The TCP SYN flood includes SYN packets from spoofed IP addresses. The destination ports are high ports (1024 to 65535). Many of them have the same TCP sequence number of 3217589126.

3. All packets seem to have abnormally high TTL values. For Windows-generated packets — and botnet members would be running Windows — these would start with a value of 128 or below, which would be decremented at each “hop” along the route to the destination address. However, most of these packets have TTLs higher than 200 even at the destination. Only a fraction of a percent of the packets even have a TTL below 128.

One expects the amount of traffic measured by the target to vary based on factors such as upstream filtering, available downstream bandwidth, botnet configuration, and current botnet resources. It appears most commercial targets are seeing traffic rates that vary from a trickle (4-6 Kbps) to a sizeable flood (40-60 Mbps). REN-ISAC has been monitoring the threat to .edu networks. Those networks typically have a lot of available bandwidth. Those targets have been able see the maximum traffic flow the botnet is capable of generating. With the current configuration (how many bots are allocated to DDoS activities, etc.) and resources available to it, the Peacomm botnet has flooded .edu targets with traffic at 70 Mbs (sustained) with peaks as high as 1 Gbps.

Some evidence points to a human actually pushing the button on the attacks. Although the HTTP proxy probe trigger works, the attacks don’t start until some variable amount of time has lapsed. It may be a few minutes or it may take several hours before the flood begins. While most attacks last around two hours, some last much longer. Are these multiple, overlapping/queued attacks? Or is some operator meting out a harsher “punishment” for some of the more curious parties?

In late June, SecureWorks Senior Researcher Joe Stewart and I discovered new, previously undetected variants of the Prg Trojan. (see Prg Trojan). This week, I uncovered the largest, single cache of stolen data from the PrgTrojan. The Trojan, also called wnspoem, was originally discovered by Secure Science and analyzed by Michael Ligh in November 2006.

The data, which includes bank and credit card account information, SSNs, online payment account usernames and passwords and other personal information, is from 46,000 victims who were all individually infected. The infection began in early May. The victims are being infected and reinfected by ads on various online job sites. The hackers behind this scam are running ads on job sites and are injecting those ads with the Trojan.

Thus, when a user views or clicks on one of the malicious ads, their PC is getting infected and all the information they are entering into their browser (including financial information being entered before it reaches the SSL protected sites) is being captured and sent off to the hacker’s server in Asia Pacific. This server is still collecting stolen data and at any one time, we are seeing 9,000 to 10,000 victims sending information to the server.

When I first discovered this large cache of data, I couldn’t figure out how the hackers were compromising so many websites, and as a result, infecting so many victims. However, when I uncovered the Trojan-injected advertisements, it made total sense. These job sites get quite a bit of traffic so it is no wonder that the hackers are having such success. Not only is SecureWorks seeing a large infection rate among victims but they have found that many of the victims are being reinfected, causing them to have chronic infections of the Prg Trojan.

PC users are visiting these job sites and viewing these ads. They are then getting infected and two to three weeks later (after the hacker has captured their information) their anti-virus is catching the Trojan and wiping it off their PC. However, they are then going back to these online job sites, clicking or viewing another malicious ad and getting reinfected by the latest variant.

The hackers behind this scam are releasing a new variant every five days to a week on average, and sometimes even quicker. Anti-virus is having a hard time keeping up with so many variants, so infections are going undetected for several weeks, and although it might eventually get cleaned off the user’s machine, many of them are getting reinfected by a totally new, undetectable variant, and the infection cycle starts all over again.

How to Detect if Your Computer is Infected

Computers infected with the Prg Trojan will have a backdoor proxy server listening for connections on port 6081. This port is not assigned to legitimate services and is not hidden by the rootkit functionality. If port 6081 is open on your computer, you are likely infected with the Prg Tojan. If anti-virus is not detecting the infection, then you will need to boot the computer into Safe Mode and run another scan. If that fails, manual removal or reinstalling the operating system may be necessary.

Malware that encrypts data and demands payment to make it readable again is often called “ransomware”.  The first widespread ransomware was the so-called “AIDS” Trojan which was distributed by floppy disk in 1989, but it was 1996 before Young and Yung released the first comprehensive study of cryptovirology, the study of crypto-enabled malware which covered ransomware.

The pace of  ransomware attacks accelerated in 2005 as new technology made it possible to realize larger profit margins.  New attacks in July 2007 illustrate dangerous trends in technologies that enable cyber extortionists.

Ransoms are rising.  In a 2005 incident, SecureWorks Senior Security Researcher Joe Stewart (working at that time for the pre-merger LURHQ) helped to reverse engineer the encryption algorithm and recover files held hostage for $200.  In 2006, the Ransom.A Trojan was asking only $10.99 per infected computer; however, the attackers hoped to make this up in volume which failed to materialize.  The latest threats demand ransoms of $300 and up.

Distribution is key.  While last year’s Ransom.A Trojan failed to find the distribution channel is needed to really take off, that’s not the case with new threats.  Mpack, a cross-browser exploitation framework, is being used to widely distribute new flavors of ransomware.  New variants of the Prg Trojan installed by Mpack exploits have infected more than 150,000 users and stolen tens of millions of records.  Starting in July, many of those victims have had files encrypted by the Trojan, which left behind a ransom note:

Hello,    your   files   are   encrypted   with   RSA-4096   algorithm
(http://en.wikipedia.com/wiki/RSA).

You  will  need  at least few years to decrypt these files without our
software.  All  your  private  information  for  last  3  months  were
collected and sent to us.

To decrypt your files your need to buy our software. The price is $300.

To  buy  our software please contact us at: oxyglamour@gmail.com and provide us
your  personal code 172265880. After successful purchase we will send
your  decrypting tool,  and  your private information will be deleted
from our system

If  you  will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.

                        Glamorous team

Another new Trojan installed by some Mpack attackers archives the victim’s data in RAR files and seals them with a password before uploading them to the attackers’ servers.

These illustrate new factors that point to a rapidly growing trend in ransomware:

• The success and extensibility of the Mpack kit ensures wide distribution
• Data-stealing Trojans are being retrofitted with ransomware features
• Using construction kits, attackers are able roll fresh, undetected Trojan variants at will.

While cracking the actual algorithms used by the Prg “Glamour” variants and the RAR format is possible, most end users don’t have access to researchers skilled in reverse engineering and password recovery.  Even that won’t help if the data has really been scrambled using strong public-key encryption.  At that point, victims may be forced to negotiate with these extortionists, but there’s no guarantee they will deliver the data after the ransom has been paid.  Chatter in the hacker underground indicates the incorporation of strong public-key encryption is already in progress.

Today, many large companies still do not back up the data on user’s workstations.  While many corporate users are urged to store documents on servers and shared drives, many still work from local disks targeted by this ransomware.  Home users are even more at risk — nearly half report that they do not make back-ups at all.

With these types of attacks, prevention is paramount.  Active tracking and analysis is key to spotting changes in attack methods that could leave one vulnerable.   IPS can block the characteristic behavior of exploit frameworks like Mpack and the downloaders used to install the Trojans.  Deployment and maintenance of IPS countermeasures on the network and at the host is the best way to prevent having one’s data held hostage by this new ransomware.