Contact Us
SecureWorks Uncovers $2 Million Russian Hacker Scheme
In January 2007 the SecureWorks Security Research Group discovered a new trojan that searches for and captures credentials used by several Internet banking and e-commerce websites. The trojan, named Gozi, is able to forward captured credentials to an online database where they were being sold to the highest bidder. While researching Gozi, the SecureWorks Security Research Group uncovered a cache of stolen information holding over 10,000 account records containing everything from online banking user credentials to patient healthcare information and even employee login information for confidential government and law enforcement applications. Further investigation revealed that this data was being offered for sale by Russian hackers for an amount totaling over $2 million. The records retrieved included account numbers and passwords from customers of many top global banks and financial services companies, top US retailers and leading online retailers. SecureWorks is working with the affected organizations and federal law enforcement officials as well as other security groups such as FIRST and CERT to address the Gozi threat.
Gozi is a state-of-the-art, modularized trojan spread through Internet Explorer browser exploits, and it went undetected for weeks by many anti-virus vendors. Many home PCs were infected by Gozi while users were visiting popular community forums for hobbies, online games, etc. Gozi then retrieved the users' credentials when they later logged into their banking, retail, or employers' applications. These credentials were forwarded to an online storefront where they were offered for sale.
The trojan was designed to capture any data entered into websites relying on SSL (Secure Sockets Layer) to protect confidential information. Most Internet banking, online retail, and corporate intranets utilize SSL to encrypt communications from their customers. We also discovered that components of Gozi were purposely designed to circumvent the multi-factor authentication protections of specific large financial institutions. These protections met and exceeded those mandated by the FFIEC. SecureWorks briefed these financial institutions on Gozi's activities so they can be on the lookout for any fraudulent activity.
How to Protect Against Gozi
PCs on corporate networks can be infected if not well-protected. Security administrators should:
- Enable heuristic detection as part of your anti-virus systems. This will increase the rate of false positives, so it should be done cautiously and with consideration as to how it can impact your operations.
- Make sure your IPS is configured to detect and block Gozi and similar threats.
- Ensure that your anti-virus vendor has a signature for the Gozi trojan then make sure all your computing systems are patched and current with the latest anti-virus protections.
- If you use a managed security services partner to protect your systems, make sure that they have implemented countermeasures specific to Gozi and its variants. Clients relying on SecureWorks' iSensorP®P Network Intrusion Prevention Service were protected from day one.
A full analysis of the Gozi threat is available at http://www.secureworks.com/research/threats/gozi/.
2006 Attack Statistics Overview: Part Two of Two
With over 1,650 clients, SecureWorks has tremendous visibility into the security activity that affects businesses around the world. We monitor and process more than 1.3 billion security events daily, giving us insight into the latest attack trends and the continuing evolution of the threat landscape. Our 2006 Attack Statistics Review gives an overview of the attacks we blocked in the last year with our iSensor intrusion prevention technology.
In Part One of our 2006 Attack Statistics Review, we shared some of the statistics and trends we've identified during the course of protecting our clients from security threats. Part One can be found at http://www.secureworks.com/research/newsletter/2007/02/index.html#2006. In Part Two, we narrow the scope and focus on which assets were attacked the most within corporate environments, which vendors were most frequently attacked and where most attackers were located.
Attacks overwhelmingly targeted desktops and servers in 2006, which makes perfect sense considering the type of systems that fall into this category. Webservers, databases, application servers, and end user desktops are very attractive targets for an attacker. These are undoubtedly the most vulnerable corporate assets with the most readily-available exploits, meaning the attacker doesn't need to develop much of their own malicious code. These systems are also usually more visible from the outside of the organization and in many cases they either contain or provide direct access to sensitive information that is profitable to the attacker, such as credit card or account numbers.
Table 1: Target Class
Products from Microsoft were attacked most frequently in 2006, as a result of their products being so widely deployed and the release of several exploits that took advantage of flaws in Internet Explorer (IE 6 and 7), Windows XP, and MS Office applications.
There were also a large number of attacks against products from multiple vendors. These attacks typically exploited weaknesses in common standards or protocols. Cross-Site Scripting (XSS), which increased significantly throughout 2006, is a good example of an attack type that spans multiple vendors.
Table 2: Vendors Most Frequently Attacked
Based on our research, the United States is, by far, the largest source of attacks. During 2006, IP addresses located in the U.S. accounted for more than 543 million attacks, which is far greater than the combined total for the rest of the world.
Table 3: Attacking Countries
It is important to take into consideration that the attacking country is determined by the source IP location, and it's possible that the attacker may reside elsewhere. For example, an attacker in Country A may launch an attack from an "owned" host located in the Country B. This is not to say that the U.S. doesn't have its share of attackers. However, a major contributor to the very high number of attacks from the U.S. is simply that there are so many personal and business computers in the U.S., a large percentage of which are not completely patched and can be easily compromised and used as proxies for attackers around the world.
This concludes our 2006 Attack Statistics Review. In the last year alone, we identified and blocked more than 931 million attacks using our iSensor intrusion prevention technology. Over 1900 iSensors are currently deployed across more than 1,450 networks, providing broad visibility into zero-day threats and attack trends. Using this information, we proactively develop countermeasures to protect our clients from the latest attacks.
Internet Threat Update
ANI Worm Spreading in the Wild
In March 2007, attackers began exploiting a previously undisclosed vulnerability in the Windows animated cursor (ANI) processing code, a component of all recent Microsoft releases. If executed successfully, an attacker could use this exploit to remotely take control of a vulnerable system. Thus far, the primary attack vector has been Internet Explorer via web pages with embedded malware which contains the malicious exploit code. More complex uses of the malware have been found where users can also be infected by opening specially crafted e-mails or e-mail attachments.
SecureWorks has detected a worm utilizing the ANI exploit code to spread in the wild. The worm is similar to previous trojans in that it attempts to download various additional malware involved in stealing online gaming credentials. While this is not the most malicious possible use, the exploit code is now publicly available. Chances are that the exploit code will soon be incorporated into malware used by criminals for more nefarious purposes, leading to more malicious infections. SecureWorks has already implemented countermeasures via our iSensor Network Intrusion Prevention Service which will effectively protect clients from this threat.
On April 3, Microsoft issued an out-of-cycle emergency patch to address the underlying vulnerability. Until affected systems have been patched, users should minimize their risk by not following any unsolicited or suspicious links. They should also avoid opening or reading email that comes from untrusted sources.