Results 1 to 4 of 4

Thread: Malicious Torrent Network Tool Revealed By Security Company

  1. Header
  2. Header-68

BLiNC Magazine, always served unfiltered
  1. #1

    Malicious Torrent Network Tool Revealed By Security Company

    Revealed By Security Company

    • By Andy
    • on September 21, 201


    News
    A security company has published details of a tool designed to be spread to unsuspecting users via a network of malicious torrents. InfoArmor reports that 'RAUM' is being used by a financially incentivized underground affiliate network, and has even published screenshots of the management dashboard utilized by the attackers.



    More than 35 years after 15-year-old high school student Rich Skrenta created the first publicly spread virus, millions of pieces of malware are being spread around the world.

    Attackers’ motives are varied but these days they’re often working for financial gain. As a result, popular websites and their users are regularly targeted. Security company InfoArmor has just published a report detailing a particularly interesting threat which homes in on torrent site users.
    “InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet,” the company reports.
    InfoArmor says the so-called “RAUM” tool is being offered via “underground affiliate networks” with attackers being financially incentivized to spread the malicious software through infected torrent files.
    “Members of these networks are invited by special invitation only, with strict verification of each new member,” the company reports.
    InfoArmor says that the attackers’ infrastructure has a monitoring system in place which allows them to track the latest trends in downloading, presumably so that attacks can reach the greatest numbers of victims.
    “The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code,” they explain.
    RAUM instances were associated with a range of malware including CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex and password stealing spyware Pony.
    “We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network,” InfoArmor reveals.
    What is perhaps most interesting about InfoArmor’s research is how it shines light on the operation of RAUM behind the scenes. The company has published a screenshot which claims to show the system’s dashboard, featuring infected torrents on several sites, a ‘fake’ Pirate Bay site in particular.



    “Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others,” the researchers write.
    “In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files.”

    According to InfoArmor the malware was initially spread using uTorrent, although any client could have done the job. More recently, however, new seeds have been served through online servers and some hacked devices.
    In some cases the malicious files continued to be seeded for more than 1.5 months. Tests by TF on the sample provided showed that most of the files listed have now been removed by the sites in question.
    Completely unsurprisingly, people who use torrent sites to obtain software and games (as opposed to video and music files) are those most likely to come into contact with RAUM and associated malware. As the image below shows, Windows 7 and 10 packs and their activators feature prominently.

    “All of the created malicious seeds were monitored by cybercriminals in order to prevent early detection by [anti-virus software] and had different statuses such as ‘closed,’ ‘alive,’ and ‘detected by antivirus.’ Some of the identified elements of their infrastructure were hosted in the TOR network,” InfoArmor explains.
    The researchers say that RAUM is a tool used by an Eastern European organized crime group known as Black Team. They also report several URLs and IP addresses from where the team operates. We won’t publish them here but it’s of some comfort to know that between Chrome, Firefox and MalwareBytes protection, all were successfully blocked on our test machine.
    InfoArmor concludes by warning users to exercise extreme caution when downloading pirated digital content. We’d go a step further and advise people to be wary of installing all software from any untrusted sources, no matter where they’re found online.

  2. #2

    Web Security Firm Sitelock Uses DMCA to Censor Criticscurity Company

    Web Security Firm Sitelock Uses DMCA to Censor Critics


    • By Andy
    • on September 20, 2016

    News
    Sitelock, one of the world's leading website security companies, is using the DMCA to silence a vocal critic. Web design and services outfit White Fir Design has published several articles about Sitelock, but now the company has hit back by filing DMCA notices against screenshots included in White Fir's reports.


    The takedown provisions of the Digital Millenium Copyright Act are most closely associated with alleged infringement in the file-sharing space. As a result, millions of notices are sent to a wide range of websites, not least Google’s search.

    As a recent case involving Warner illustrated, erroneous notices can prove controversial, but perhaps the most egregious examples involve efforts to silence critics under the guise of protecting copyrights. One such situation appears to be underway between two players in the website security sector.
    In the blue corner stands SiteLock, the self-professed “Global Leader in business website security solutions.” With more than 8,000,000 customers worldwide, it’s more than likely that its logo (shown bottom right in the image below) is familiar to readers.
    Sitelock’s product range is impressive but no matter what it does, the company cannot seem to impress White Fir Design, its rival in the blue corner.
    For the past few years, web design and security company White Fir has been publishing articles critical of SiteLock. In 2014, for example, the company published a piece declaring that Sitelock was poor at protecting its clients.
    This was followed by several others continuing on the same theme, including a May 2016 piece declaring that Sitelock was scamming its customers. Clearly, things were beginning to heat up.
    It’s not clear whether Sitelock disagrees with any of White Fir’s critique but the company has certainly noticed the articles published web outfit. That became evident this week when Sitelock filed DMCA notices against two pieces published by White Fir.
    “We have seen a lot of ridiculous stuff from SiteLock recently, but this has to take the cake,” White Fir said in a statement.
    “They have now filed a DMCA takedown notice against our website for including a screenshot of their homepage in one [of] our posts.”
    The screenshot posted by White Fir originally appeared in an article which claimed how Sitelock had placed their seal of approval on a site, despite it being dangerous for visitors. The screenshot has now been removed but a copy can be seen below.

    The allegedly-infringing screenshot

    The resulting DMCA notice from SiteLock claims that White Fir’s use of the screenshot is infringing.
    “My name is Logan Kipp, I am contacting you on behalf of my company SiteLock, LLC. A website that your company hosts at IP *66.39.94.41 (WHITEFIRDESIGN.COM) is infringing on at least one copyright owned by SiteLock, LLC,” the complaint to White Fir’s hosting company reads.
    “Content has been taken from our official websites, SiteLock.com and wpdistrict.sitelock.com, and used without the authorization of SiteLock, LLC on the website WHITEFIRDESIGN.COM.”
    The second complaint Sitelock filed against White Fir concerned a piece published early September which alleged that SiteLock had reported certain versions of WordPress as having “critical” vulnerabilities when in fact they did not.
    To support their critique, White Fir included a screenshot of a table published by SiteLock. It’s clear that White Fir had the right to do so under Fair Use but SiteLock’s Logan Kipp felt otherwise, filing a complaint with White Fir’s host.
    “I request that you immediately notify the infringer of this notice and inform them of their duty to remove the infringing material immediately, and notify them to cease any further posting of infringing material to your server in the future,” SiteLock told the host.
    “If service providers do not investigate and remove or disable the infringing material [safe harbor] immunity is lost. Therefore, in order for you to remain immune from a copyright infringement action you will need to investigate and ultimately remove or otherwise disable the infringing material from your servers with all due speed should the direct infringer, your client, not comply immediately.”
    Quite why White Fir chose to comply with SiteLock’s takedown demands is unclear, as the usage of the screenshots is legal for the purposes of news reporting and critique. However, as White Fir point out, if the aim was to silence them, that has backfired.
    “What makes this even more ridiculous is [SiteLock] clearly now know that their post is showing that they lack a basic understanding of WordPress security, but instead of fixing their post, they are trying to hide you from seeing an image on our website,” White Fir explain.
    “The only reasonable explanation we can think of for them doing this is that they thought they could get the pages those images were on removed by filing [the complaint], because removing the images alone doesn’t do anything to cover up what they are up to.”
    And so the DMCA wars continue….

  3. #3

    Five social engineering scams employees still fall for

    Five social engineering scams employees still fall for


    Credit: Thinkstock

    By Stacy Collett

    CSO | Sep 21, 2016 3:32 AM PT


    You’ve trained them. You’ve deployed simulated phishing tests. You’ve reminded your employees countless times with posters and games and emails about avoiding phishing scams. Still, they keep falling for the same ploys they’ve been warned about for years. It’s enough to drive security teams to madness.

    According to Verizon’s 2016 Data Breach Investigation Report, 30 percent of phishing messages were opened by their intended target, and about 12 percent of recipients went on to click the malicious attachment or link that enabled the attack to succeed. A year earlier, only 23 percent of users opened the email, which suggests that employees are getting worse at identifying phishing emails -- or the bad guys are finding more creative ways to outsmart users.

    The consequences of a security breach caused by human error are bigger than ever. For starters, the No. 1 inflection point for ransomware is through phishing attacks, says Stu Sjouwerman, founder and CEO of KnowBe4. What’s more, a handful of competing cyber mafias “are casting their nets wider and wider,” with more scams to more users, to attract more hits, he says.

    A single ransomware cyber mafia was able to collect $121 million in ransomware payments during the first half of this year, netting $94 million after expenses, according to McAfee Labs’ September 2016 Threats Report. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.
    ALSO ON CSO: How to respond to ransomware threatsOne look at the top five social engineering scams that employees still fall for, and it’s not hard to see their appeal. Sjouwerman calls them the seven deadly social engineering vices that most employees share: Curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.


    Human nature may be to blame for many security breaches, but there are ways to help employees shed their bad habits and avoid these scams.

    1.‘Well it looked official’


    Official-looking emails that appear to be work related – with subject lines such as “Invoice Attached,” “Here’s the file you needed,” or “Look at this resume” -- still have employees stumped, experts say.
    A survey by Wombat Technologies found that employees were more cautious when receiving “consumer” emails regarding topics like gift card notifications, or social networking accounts, than they were with seemingly work-related emails. A subject line that read, “urgent email password change request,” had a 28 percent average click rate, according to the report.
    “Most people are not going to look really closely to know where that email came from, and they click on it and their machine may be taken over by somebody, or infected,” says Ronald Nutter, online security expert and author of The Hackers Are Coming, How to Safely Surf the Internet.
    “Especially when you’re exchanging files with subcontractors or partners on a project, you really should be using a secure file transfer system so you know where the file came from and that it’s been vetted.” He also cautions recipients to be wary of any file that asks the user to enable macros, which can lead to a system takeover.
    In the absence of a secure file transfer system, users should hover their cursor over email addresses and links before they click to see if the sender and type of file are legitimate, he adds.

    2. ‘You missed a voicemail!’


    Scammers have been trying to install malicious software through emails designed to look like internal voicemail service messages since 2014. Businesses often have systems set up to forward audio files and messages to employees, which is convenient but hard for users to discern as a phishing hoax.
    Today, “The voicemail is a spoofed Microsoft or Cisco kind of voicemail,” Sjouwerman says. “They go to their in-box and there is a voicemail, but they missed it and then open the attachment. [Spoofers] can catch practically anyone with that,” and not just the accounting department where invoice scams are sent, he adds.

    3. Free stuff
    Most employees can’t resist free stuff – from pizza to event tickets to software downloads – and they’ll click on just about any link to get it, phishing experts say.
    “Nothing is truly ever free,” Nutter says. “We’re starting to see again where you’ll get a link saying, ‘Here’s free software.’ It could be something that’s actually out there already for free, but they’re sending you through their website, which means you may be getting infected or compromised software.”
    Adding to the danger, “A lot of these download sites are bundling [software], and you also have to download something else that you don’t even want,” Nutter adds. “If it compromises your security setup, now you’ve just opened Pandora’s box.”
    He recommends first checking to see if your organization has already licensed the software, or if it’s truly free software, then go directly to the software vendor’s website to download.

    4. Fake LinkedIn invitations and Inmail


    One of the commonly repeated scams that Proofpoint is seeing involves fraudulent employee accounts on LinkedIn that are being used for information gathering, says Devin Redmond, vice president and general manager of digital security and compliance.
    For instance, someone creates a fake LinkedIn account posing as a known member of a project team or even a company executive. “It looks very legitimate and that person does work for the organization. [The imposter] connects with you, you accept and they start communicating with you,” Redmond says. “As the employee, if it’s an executive account that you’re linked to, you’re happy and excited that this executive is communicating with you, and you start to, unknowingly, give information that’s sensitive or private to the organization.” Meanwhile, the information is being used as a broader campaign to gather sensitive information on the company.

    Redmond suggests that if a colleague asks to connect on any social network, then email their legitimate work address and ask if they’ve requested to connect with you. “It’s an easy way to keep yourself out of hot water,” he adds.

    5. Social media surfing at work


    Employees who surf Facebook, Twitter and a host of other social media sites can potentially open the door for cyber thieves because the scams require less work for them, and it’s also a relatively new area of awareness training for employees.

    “Think about that ROI from the bad actors’ perspective,” Redmond says. “Instead of having to send 1,000 emails (to get one hit), I can get them to my page with one post.”
    Social media’s cyber risk is still a topic that employees understand the least – with an average of 31 percent of questions missed regarding security awareness on the topic, according to Wombat. However, 76 percent of organizations surveyed enable employees to use social media on their work devices. This puts organizations at significant risk considering the lack of understanding in the area.
    “I speculate the reasons why organizations are doing so poorly is it’s still fairly relatively new,” says CTO Trevor Hawthorn. “We’re also seeing a younger workforce. There is a belief in the industry that those employees will just click on anything. I think there is something to that.”

  4. #4

    Will iot folks learn from DDoS attack on Krebs’ Web site?

    Will iot folks learn from DDoS attack on Krebs’ Web site?



    Credit: Thinkstock

    The first volley has been fired in the IoT wars.


    CSO | Sep 28, 2016 4:57 AM PT Like this article?
    Brian Krebs did a simple thing. He reported on the take-down of a distributed denial of service (DDoS) for hire group, vDOS, and the arrest of two of its Israeli teenage operators. The ensuing cyber temper tantrum, which was forensically linked to one of the teenagers, resulted in the largest DDoS attack on record and affected hundreds of businesses and thousands of users. Let’s look at the implications beyond Krebs.


    On Sept. 20, Krebs was the victim of the largest Distributed Denial of Service (DDoS) attack in the history of the internet. Krebs’ pro-bono host, content delivery network (CDN) services provider Akamai, reported the amount of data fired against them in the attack reached 665Gbps. Until then the largest attack Akamai had experienced reached only half that rate, 363Gbps. Akamai successfully fought off the attack and Krebs’ site remained up but the loss of functionality for Akamai’s other business resulted in significant financial losses. Akamai ultimately decided to drop Krebs’ blog.
    How to respond to ransomware threats

    Why should you care?

    Well, let’s assume that the attack was against Krebs; not a far stretch because he blogs about cybersecurity and is not afraid to call out groups and individuals who are involved in stupid, pointless, or illegal interference with our daily online business and personal lives. In this case he called out the same people, vDOS, who were implicated in hundreds of pay-for-DDoS attacks. The vDOS vandals were associated with other cybercriminals including Lizard Squad. Lizard Squad was responsible for the 2014 Christmas outages at Sony and Microsoft. Remember the Christmas joy when you bought the kids that new PlayStation and they couldn’t connect? So the bad guys pointed the data cannon at Krebs and fired. Miss. But what about collateral damage?

    Akamai hasn’t yet released the financial impact of the attack against their servers but it will likely be in the range of several million dollars. Akamai was collateral damage. So were Akamai’s customers who were denied functionality during the event. So were the customers of these businesses, who depended upon access to data, news, and basic communication. Whether by design or as an unintended consequence, a cascade of financial and reputational loss ensued.
    Calculate the cost of a DDoS attack

    How you might have been an unwitting accomplice

    Analysis of traffic in the DDoS indicated a “garbage web attack,” flooding a system with GET, SYN, and other requests. This kind of attack (currently) can’t be spoofed like a DNS attack; each requesting device must utilize a generic routing encapsulation (GRE) packets. GREs are a protocol that establish a discrete device-to-device connection and are attributable.
    In this garbage web attack, an enormous botnet was created by compromising internet of things (IoT) devices. When I say “enormous,” I mean hundreds of thousands of compromised IoT devices. Currently there are two major Tactics, Techniques, and Procedures (TTPs) used to form these botnets. The first and most obvious, scanning for unprotected devices. The second, compromising the control servers of the devices themselves. Both TTPs are enabled by malware that appeared on the web in 2015 and now appears in myriad forms and names. Coding skills are not required – you can buy an app or hire a service to conduct an attack.
    The IoT is ubiquitous and invisible – enabled devices range from automobiles to whiskey bottles and tennis rackets. As such, it’s possible that your smart TV, your doorbell camera, and your web-enabled refrigerator all were part of the cyber-gang that attacked Krebs’ site. The IoT, intended to enable convenience, safety, and remote operability, has evolved into the Internet of Irritating Things (IoIT).

    [ALSO ON CSO: IoT DDoS attacks]

    Before you confront your thermostat and demand an apology, understand that the IoIT is itself a victim. The IT industry has faced some challenges incorporating security as part of the software development process but we all benefit. Hardening systems and networks via software has begun to throttle botnets in general. Let’s make this personal -- in 2008, the Srizbi botnet created 60 percent of all spam worldwide, about 60 billion emails every day. Worldwide spam volume decreased by 75 percent when it was neutralized. It remains so in part by security in the development process as the internet grows and progresses.
    Accepting and integrating security/software development was not done overnight; it remains an ongoing process and for some the learning curve is quite steep. Now the IoT folks, hopefully, are learning the same lessons.

    Is your computer one of the living dead?

    Determining if your computer has been turned into a zombie and is mindlessly participating in a botnet can be done both digitally and physically:
    Does your computer act “different?” Is it crashing and generating error messages for no apparent reason?
    Does it take longer to start or shut down?
    Does your fan kick in at high speed when you’re not using the computer?
    Are you seeing high data rates on Task Manager while you are idle?
    If you notice these indications, an anti-virus program can help. At the worst you’ll need to wipe your drive and re-install your operating system. You did regularly back up all your data, right?
    [ALSO ON CSO: Is my computer a zombie?]

    Summary

    DDoS attacks can be initiated by an app, a program, or by hiring criminals to conduct a DDoS. DDoS attacks cost not only the target but also anyone associated with the target (cascading effect) and damage spreads geometrically. Consequences of an attack against almost any entity on the internet negatively affects us all in some way.
    Botnets enable DDoS attacks. Botnets can be created, rented, or purchased. Personal computers, giant corporate servers, and IoT devices as small as fitness trackers can be part of a botnet while owners and operators remain oblivious.
    It is possible to determine by observation and data analysis if you are part of a botnet. It’s much easier to defend your system than to restore it.


Similar Threads

  1. KAT Takedown Triggers Traffic Spike at Torrent Sites
    By airdog07 in forum The BLiNC Lounge
    Replies: 10
    Last Post: August 8th, 2016, 07:17 PM
  2. SkydiveMag: Cookie Multi-Tool: The Right Tool for the Job
    By blinc in forum Skydiving News Feed
    Replies: 0
    Last Post: October 19th, 2015, 08:10 AM
  3. Replies: 0
    Last Post: November 21st, 2014, 04:11 PM
  4. 254,158 Android apps are ‘malicious’
    By airdog07 in forum The BLiNC Lounge
    Replies: 0
    Last Post: July 26th, 2013, 06:50 AM
  5. Replies: 0
    Last Post: June 13th, 2013, 04:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •