Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Softpanorama Malware Protection Bulletin, 2014

Malware 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Top Visited
Past week
Past month


Old News ;-)

[Nov 24, 2014] Regin, new computer spyware, discovered by Symantec

Nov 24, 2014 | BBC News

A leading computer security company says it has discovered one of the most sophisticated pieces of malicious software ever seen.

Symantec says the bug, named Regin, was probably created by a government and has been used for six years against a range of targets around the world.

Once installed on a computer, it can do things like capture screenshots, steal passwords or recover deleted files.

Experts say computers in Russia, Saudi Arabia and Ireland have been hit most.

It has been used to spy on government organisations, businesses and private individuals, they say.

Researchers say the sophistication of the software indicates that it is a cyber-espionage tool developed by a nation state.

They also said it likely took months, if not years, to develop and its creators have gone to great lengths to cover its tracks.

Sian John, a security strategist at Symantec, said: "It looks like it comes from a Western organisation. It's the level of skill and expertise, the length of time over which it was developed."

Symantec has drawn parallels with Stuxnet, a computer worm thought to have been developed by the US and Israel to target Iran's nuclear program.

That was designed to damage equipment, whereas Regin's purpose appears to be to collect information.

[Nov 21, 2014] Court Shuts Down Alleged $120M Tech Support Scam

According to the FTC, the scams began with computer software that claimed to improve the security or performance of the customer's computer. Typically, consumers downloaded a free, trial version of the software that would run a computer system scan. The scan always identified numerous errors, whether they existed or not. Consumers were then told that in order to fix the problems they had to purchase the paid version of the software for between $29 and $49. In order to activate the software after the purchase, consumers were then directed to call a toll-free number and connected to telemarketers who tried to sell them unneeded computer repair services and software, according to the FTC complaint.
November 19, 2014 |

wiredmikey writes A federal court has temporarily shut down and frozen the assets of two telemarketing operations accused by the FTC of scamming customers out of more than $120 million by deceptively marketing computer software and tech support services. According to complaints filed by the FTC, since at least 2012, the defendants used software designed to trick consumers into believing there were problems with their computers and then hit them with sales pitches for tech support products and services to fix their machines.

According to the FTC, the scams began with computer software that claimed to improve the security or performance of the customer's computer. Typically, consumers downloaded a free, trial version of the software that would run a computer system scan. The scan always identified numerous errors, whether they existed or not. Consumers were then told that in order to fix the problems they had to purchase the paid version of the software for between $29 and $49. In order to activate the software after the purchase, consumers were then directed to call a toll-free number and connected to telemarketers who tried to sell them unneeded computer repair services and software, according to the FTC complaint.

The services could cost as much as $500, the FTC stated.

Amnesty International Releases Tool To Combat Government Spyware

Nov 20, 2014 |
Posted by timothy on Thursday November 20, 2014 @04:34PM

New submitter Gordon_Shure_DOT_com writes

Human rights charity Amnesty International has released Detekt to tool which finds and removes known government spyware programs. Describing the free software as the first of its kind, Amnesty commissioned the tool from prominent German computer security researcher and open source advocate Claudio Guarnieri, aka 'nex'.

While acknowledging that the only sure way to prevent governments surveillance of huge dragnets of individuals is legislation, Marek Marczynski of Amnesty nevertheless called the tool ( downloadable here ) a useful countermeasure versus spooks. According to the app's instructions, it operates similarly to popular malware or virus removal suites, though systems must be disconnected from the Internet prior to it scanning.

mmell (832646) <> on Thursday November 20, 2014 @04:42PM (#48429681)

Don't bother. (Score:3)

If you're interesting enough that the NSA is watching what you do on your computer, the NSA is already watching what you do on your computer.

Now that you have detected this, other (possibly less subtle) methods will be used to ensure that you are appropriately monitored . . . but kudos to you for catching the NSA! X^D

Oh, and First Post!

Anonymous Coward on Thursday November 20, 2014 @05:23PM (#48429999)

The NSA is watching whether you're interesting or not. Apparently you didn't get the memo...

[Aug 15, 2014] "Please don't do anything evil" by Dan Goodin

The sorry story about booting from floppies is replicated on a new level (the fault specifically designed by Microsoft, probably with NSA in mind): Every time anybody connects a USB device to your computer, you fully trust them with your computer.
July 31 2014 | Ars Technica

"If you put anything into your USB [slot], it extends a lot of trust," Karsten Nohl, chief scientist at Security Research Labs in Berlin, told Ars. "Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It's the equivalent of [saying] 'here's my computer; I'm going to walk away for 10 minutes. Please don't do anything evil."

In many respects, the BadUSB hack is more pernicious than simply loading a USB stick with the kind of self-propagating malware used in the Stuxnet attack. For one thing, although the Black Hat demos feature only USB2 and USB3 sticks, BadUSB theoretically works on any type of USB device. And for another, it's almost impossible to detect a tampered device without employing advanced forensic methods, such as physically disassembling and reverse engineering the device. Antivirus scans will turn up empty. Most analysis short of sophisticated techniques rely on the firmware itself, and that can't be trusted.

"There's no way to get the firmware without the help of the firmware, and if you ask the infected firmware, it will just lie to you," Nohl explained.

Most troubling of all, BadUSB-corrupted devices are much harder to disinfect. Reformatting an infected USB stick, for example, will do nothing to remove the malicious programming. Because the tampering resides in the firmware, the malware can be eliminated only by replacing the booby-trapped device software with the original firmware. Given the possibility that traditional computer malware could be programmed to use BadUSB techniques to infect any attached devices, the attack could change the entire regimen currently used to respond to computer compromises.

"The next time you have a virus on your computer, you pretty much have to assume your peripherals are infected, and computers of other people who connected to those peripherals are infected," Nohl said. He said the attack is similar to boot sector infections affecting hard drives and removable storage. A key difference, however, is that most boot sector compromises can be detected by antivirus scans. BadUSB infections can not.

The Black Hat presentation, titled BadUSB-on accessories that turn evil, is slated to provide four demonstrations, three of which target controller chips manufactured by Phison Electronics. They include:

Mr.StR34kSmack-Fu Master, in training

Abresh wrote:

So, does turning off autoplay on USB devices mitigate or prevent this attack or are we still screwed even if it is turned off and someone plugs a malicious USB thing into our computer?
Yes, I read the article but by the middle I was going "Wha?" and scratching my head puzzling over this.

My understanding is that if you plug it in, it will infect, auto play or not, and that this is not limited to any one operating system. This attack vector uses the actual firmware on the USB device, which tells the computer the type of device being plugged in. So you plug in an infected usb storage device, and it tells the computer that it's also a keyboard. Then it types commands as though you were doing it at your actual keyboard.

Scarily clever.....

OmoronovoWise, Aged Ars Veteran

Sneaky wrote:

Call me thick, but wouldn't it be rather obvious that your USB memory stick is being a keyboard, because it can't also be a memory stick. i.e. where the hell have all my files gone?

You aren't being thick, but you're wrong in thinking a USB device can only be one thing. There's nothing stopping a USB Flash Drive being fully functional as a USB Flash Drive whilst also surreptitiously acting as a keyboard if it's firmware has been modified to advertise it as such.

A USB device can have multiple device ID's and able to process commands as any of them.

Back in the early days of 3G dongles, they would show up as both the dongle itself and as a virtual CD drive from which to install the device driver from. This attack vector is the same concept, only for malicious intent and not built into the device intrinsically.

andrewd18Ars Centurion

dfjdejulio wrote:

andrewd18 wrote:

Step 1: Build a convenient USB "charging station" for an airport.
Step 2: Insert BadUSB firmware exploit
Step 3: Wait for people to charge their phones.
Step 4: ???
Step 5: Profit!

This one, people can protect themselves from by using charging cables that do not actually have the data pins. Which are a good idea to carry while traveling, if you're not bringing your own trusted charging devices with you.

I have a hard enough time convincing my parents-in-law to stay off the "Free WIFI" SSIDs at the airport; now I need to convince them to use a special charging cable because of "malicious USB ports"? Ha. Fat chance. That's not only a behavior change but also an expenditure of money, all for a threat they can't identify.

Hacks where there is no visual difference in the operation of the device, like this one, are completely stealthed to the majority of end users. Trying to explain it just sounds like paranoia. "See? My phone is charging just fine and I can play my games, check my bank balance, and everything."

[Aug 15, 2014] Watch a Cat Video, Get Hacked


New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked-like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now - but just one more reminder to use https.

bbn (172659) <> on Friday August 15, 2014 @04:38PM (#47681107)

https is useless (Score:5, Insightful)

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

heypete (60671) <> on Friday August 15, 2014 @05:00PM (#47681287) Homepage

Re:https is useless (Score:5, Informative)

What good is https going to be against the state? You think they can not coerce Verisign et al to hand over a copy of the root keys?

Sure, they could, but I doubt they are.

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots. That's basically a death sentence to companies like VeriSign (rather, their cert-issuing division).

While typical users won't notice, there's still plenty of risk to getting caught, particularly when targeting anyone using major web properties: Chrome, for example, has a bunch of high-profile sites "pinned" and will report back to Google if bogus certs are being used (they identified a bunch of MITMing with compromised certs in Iran in this way). Other add-ons like Perspectives make it easier to detect if unexpected certs are showing up.

Could they get away with issuing infrequently-used certs for highly-targeted, one-off uses? Possibly, but each time they do the risk to their entire business increases.

I suspect the government would much prefer to do things sneakily in the shadows, rather than involving major CAs in such a risky role.

PopeRatzo (965947) on Friday August 15, 2014 @05:57PM (#47681721) Homepage Journal

Re:https is useless (Score:5, Insightful)

If VeriSign gets caught issuing bogus certs for the government, browser vendors will revoke their roots.

Hasn't history taught us that, "They wouldn't dare" is not something on which to base trust?

I'm sure there was some dim bulb somewhere who believed, long ago, that AT&T "wouldn't dare" help the government spy on people because then all their customers would cancel their service.

No, you've got to do better than, "I wouldn't think of doing such a thing" when it comes to 21st century governments.

SQLGuru (980662) on Friday August 15, 2014

Reduced rights (Score:3)

This is one of the reasons that I don't use an admin/root level account for normal activity. If I need those privs, I'll escalate my rights for a single action. While that also won't prevent all hacks, it drastically reduces my exposure.

vux984 (928602) on Friday August 15, 2014 @04:48PM (#47681195)

Re:Reduced rights (Score:3)

This is one of the reasons that I don't use an admin/root level account for normal activity.

A good practice to be sure.

While that also won't prevent all hacks, it drastically reduces my exposure.

Well, at least your device drivers are safe, and its a little harder for you to join a bot net.

But pretty much everything you have of value can be accessed from user space, including all your documents. That's generally what identity and data thief hackers (and state actors) want.

SQLGuru (980662) on Friday August 15, 2014 @04:54PM (#47681239) Journal

Re:Reduced rights (Score:2)

They also have a harder time installing executable code.....if my browsing user can't install code, then they've only got memory to play with.

not entirely true. It just can't install it in c:\program files or your platforms equivalent. It can drop executables in folders you DO have access to though, and run them from there. And even get them to auto run if it puts the start command in a settings file you can edit as that user.

MightyMartian (840721) on Friday August 15, 2014 @05:04PM (#47681319)

Well, there have been a whole host of attacks associated with vulnerable versions of Flash and Java that could at least cripple a profile. I ran up against one of them around 2010. One of the staff at one of our remote locations suddenly had all their files supposedly disappear, desktop wiped out and the like, and a notification about a ransom if they wanted the files back. The user had no admin privileges, so I checked, and sure enough, the other profiles were untouched. What had happened is the auto updater for the workstation had failed.

Now, while it's true that the operating system itself was not compromised, and no other systems or users on the network were compromised, certainly there was enough control to potentially view confidential data on shared drives. While this was relatively unsophisticated ransomware, it did teach me than merely obsessing about privilege escalation does not lead to a secure system. User profiles and directories can still potentially be vulnerable even if the malware can't root the system.

AmiMoJo (196126) * <> on Friday August 15, 2014 @05:38PM (#47681607)

Run your browser in a VM, preferably using a different OS to the host. No access to the host filesystem, isolated from the real machine. Then at least only your browser data is vulnerable.

Animats (122034) on Friday August 15, 2014 @04:59PM (#47681273)

Flash vulnerability? (Score:4, Interesting)

Presumably this attack is via a Flash vulnerability. So why is there no mention of Adobe in the article? Why isn't Adobe being held responsible? Why are there still vulnerabilities in Flash? Who audits that code? Well?

Didn't look at the source of a Youtube page, did you? Look for "". Videos can also play with "HTML5 video", but there's Flash code there to be executed.

timeOday (582209) on Friday August 15, 2014 @06:15PM (#47681803)

No, I don't think it's a Flash vulnerability. It is awfully obscured in the article by general hand-waving, but I think the idea here is to trick people into installing an executable that isn't really Flash by causing an executable that presents itself as a Flash update to request installation. Since this happens while they are visiting youtube (with a man-in-the-middle doing the injection), the user may assume it is a legit update and install the malware.

In other words, Flash and Java are "exploited" only in the sense that people are so used to being pushed security updates, that they may accept a fake update delivered on an insecure connection.

Accepting a so-called Flash update from any untrusted site would accomplish the same thing. It really just boils down to the fact that every site is an untrusted site if you're not using https, since you don't know who all is in the middle.

raymorris (2726007) on Friday August 15, 2014 @05:30PM

Simpler way: virtualization + snapshot (Score:3)

You COULD modify the hardware etc., or just fire up Virtualbox, KVM, or qemu full screen for your web browsing and such. Set the virtualized image read-only, except when installing new software on it.

Beneath the virtual machine can either be a dedicated hypervisor or an very small Linux installation which has only a tiny attack surface.

raymorris (2726007) on Friday August 15, 2014 @05:24PM (#47681489)

Not wrong, or stupid, or insecure, just run Flash (Score:2)

TFS says:

> many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked-like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true. ... [Adobe Flash can be exploited by an ISP].

Hmm, so you don't have to do something stupid or insecure, just run Flash and Java. :)

Flash is mostly used for ads and malware, neither of which I want, so I don't run Flash in my default browsers. For many years, there has been precisely one site for which I ever had any interest in having Flash installed, that was Youtube. Not anymore.

Youtube no longer requires Flash. []

[Jun 17, 2014] Zeus Trojan alternative hits the underground market By Lucian Constantin

June 11, 2014 | Computerworld/IDG News Service

Extensibility could help a new Trojan program called Pandemiya see wider distribution despite its high price, researchers say

A new Trojan program that can spy on victims, steal login credentials and interfere with browsing sessions is being sold on the underground market and might soon see wider distribution.

The new threat is called Pandemiya and its features are similar to that of the infamous Zeus Trojan program that many cybercriminal gangs used for years to steal financial information from businesses and consumers.

Zeus source code was leaked on underground forums in 2011, allowing other malware developers to create Trojan programs based on it, including threats like Citadel, Ice IX and Gameover Zeus, whose activity was recently disrupted by an international law enforcement effort.

"Pandemiya's coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.," researchers from RSA, the security division of EMC, said Tuesday in a blog post. "Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C."

The new Trojan program can inject rogue code into websites opened in a local browser, a technique known as Web injection; grab information entered into Web forms; steal files; and take screenshots. Because it has a modular architecture, its functionality can also be extended through individual DLL (dynamic link library) files that act as plug-ins.

Some of Pandemiya's existing plug-ins allow cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files. Its creators are also working on others to enable reverse Remote Desktop Protocol connections and to allow the malware to spread through hijacked Facebook accounts, the RSA researchers said.

"Like many of the other Trojans we've seen of late, Pandemiya includes protective measures to encrypt the communication with the control panel, and prevent detection by automated network analyzers," the researchers said.

The new threat is being advertised on underground forums for US$1,500 for the core application and $2,000 with additional plug-ins, a relatively high entry price for cybercriminals. This aspect and the fact that it's new have kept Pandemiya from gaining popularity so far, but because it can easily be expanded with DLL plug-ins "could make it more pervasive in the near future," the RSA researchers said.

[Jun 10, 2014] Massive botnet takedown stops spread of Cryptolocker ransomware by Gregg Keizer

See also Cryptolocker Trojan (Win32/Crilock.A)
Jun 10, 2014 | Computerworld
The takedown earlier this week of a major malware-spewing botnet has crippled the distribution of Cryptolocker, one of the world's most sophisticated examples of ransomware, a researcher said today.

But replacements already stand in the wings, prepared to take Cryptolocker's place.

"Since last Friday, we've seen no new activity and no new infections," said Keith Jarvis, a security researcher at Dell SecureWork's Counter Threat Unit (CTU), referring to Gameover Zeus, a two-year-old botnet that U.S. and foreign authorities took down in a broad coordinated campaign announced Monday. Gameover Zeus had been the sole distribution channel for Cryptolocker

.... ... ...

On Monday, the U.S. Department of Justice (DOJ) revealed that it, along with law enforcement agencies in several other countries, including Australia, Germany, France, Japan, Ukraine and the U.K., had grabbed control of the Gameover Zeus botnet. Criminal charges have also been filed against the alleged administrator of the botnet.

... ... ...

Jarvis said that SecureWorks -- which has been in the forefront of analyzing Cryptolocker, and was one of the private security firms that assisted law enforcement prior to this week's take-down -- estimated the Cryptolocker haul at a minimum of $10 million since its debut.

... ... ...

Some victims who refused to pay the ransom incurred significant losses recovering control of their files and restoring files from backups, if they had them. During their investigation, U.S. authorities interviewed numerous Cryptolocker victims; examples cited in court documents said businesses pegged recovery and remediation costs between $30,000 and $80,000.

... "This is a well-written piece of software," said Jarvis. "And they got the encryption right. There are no loopholes and no flaws."

Earlier examples of ransomware were often sloppy, and in some cases their lock-out mechanisms could be circumvented. Not so with Cryptolocker. Once run, it left victims with only two options: Pay the ransom or restore the now-inaccessible data from backups.

... ... ...

[Jun 02, 2014] Wham bam Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet

So it took more then half-a-year (8 months) to get to the bottom; and at the end it was Symantec researchers, who "poisoned" the botnet. I think all federal officials in three letter agencies responsible for that should be fired...
Computerworld Blogs
"Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cybercrimes that you might not believe if you saw them in a science fiction movie," reported the DOJ.

By secretly implanting viruses on computers around the world, they built a network of infected machines – or "bots" – that they could infiltrate, spy on, and even control, from anywhere they wished. Sitting quietly at their own computer screens, the cyber criminals could watch as the Gameover Zeus malware intercepted the bank account numbers and passwords that unwitting victims typed into computers and networks in the United States.

And then the criminals turned that information into cash by emptying the victims' bank accounts and diverting the money to themselves.

Justice Department Assistant Attorney General Leslie Caldwell stated:

Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week. We have already begun providing victim information to private sector parties who are poised to assist them. I am also pleased to report that, by Saturday, Cryptolocker was no longer functioning and its infrastructure had been effectively dismantled. Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack.

US-CERT (United States Computer Emergency Readiness Team) also issued a GameOver Zeus P2P Malware alert today.

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

[Jun 02, 2014] Game Over for 'Gameover' Malware

Two of the most insidious and widespread types of malware have been "disrupted," and at least one man allegedly behind them has been indicted, according to an announcement today (June 2) by the United States Department of Justice.

In a partnership with security companies, experts and other countries' law-enforcement agencies, the Department of Justice helped orchestrate "Operation Tovar," a mission to identify the criminals behind the Gameover banking Trojan and the botnet it controls, as well as the Cryptolocker ransomware, and sabotage the associated crimeware campaigns.

According to Deputy U.S. Attorney General James Cole, the Gameover operation was successful and the group's alleged leader, Russian citizen Evgeniy Mikhailovich Bogachev, has been indicted by a federal grand jury in Pittsburgh.

Gameover, adapted from the infamous ZeuS banking Trojan after the ZeuS source code was released in 2011, infects Windows computers worldwide and corrals them into a botnet, intercepts users' passwords and other financial information and uses the stolen credentials to make or redirect wire transfers from the bank accounts of infected users to accounts controlled by the criminals behind the malware. According to Cole, Gameover has been implicated in the theft of more than $100 million dollars from American victims alone.

The Gameover botnet has also been identified as the primary distributor of Cryptolocker, a type of ransomware which holds infected computers "ransom" by using encryption to render the files on them unreadable.

The 14-count indictment against Bogachev, who is believed to be in southern Russia, accuses him of acting as the administrator of the Gameover botnet. The counts include conspiracy, computer hacking, wire fraud, bank fraud and money laundering.

At the same time, an Omaha, Nebraska criminal complaint charges Bogachev with conspiracy to commit bank fraud in a separate case invovling a variant of the ZeuS malware called "Jabber ZeuS," after the instant-messaging software it used to communicate with its handlers.

A third civil injunction filed by the United States in the Pittsburgh federal court alleges that Bogachev is the leader of a cybercrime gang responsible for creating and operating both Gameover and Cryptolocker.

In addition, the Pittsburgh court also authorized U.S. law enforcement to intercept traffic between computers infected with Gameover and Cryptolocker and the servers controlling these malicious programs. For example, the FBI can collect the IP addresses of computers infected with these types of malware in order to help study them and devise defenses against them.

"At no point during the operation did the FBI or law enforcement access the content of any of the victims' computers or electronic communications," the Department of Justice announcement states.

However, judging by similar situations, it is highly unlikely that Bogachev will actually face trial in the US.

[Jun 02, 2014] Fed Cyber Sleuths Stop 'Gameover Zeus' and 'Cryptolocker' Crime Sprees

ABC News

The Justice Department has disrupted what it calls one of the most sophisticated cyber threats ever, and they are now trying to capture the man behind it all, federal prosecutors announced today.

Over the weekend, federal cyber cops essentially paralyzed a massive computer virus known as "Gameover Zeus," which diverted millions of dollars from companies' bank accounts, and blocked another virus known as "Cryptolocker," which first took control of a user's computer files and then demanded ransom in return for the user's own files, according to federal prosecutors. Both viruses were the work of an overseas criminal gang allegedly run by Russian hacker Evgeniy Bogachev, who is now among the FBI's most-wanted cyber criminals.

"Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cyber-crimes that you might not believe if you saw them in a science fiction movie," the head of the Justice Department's Criminal Division, Leslie Caldwell, told reporters in Washington. "By secretly implanting viruses on computers around the world, they built a network of infected machines – or 'bots' – that they could infiltrate, spy on, and even control, from anywhere they wished."

Starting in 2011, Bogachev, 30, allegedly used "spear-fishing" – or fake – emails to infect computers with the "Gameover Zeus" virus. Once infected, Bogachev would "hijack computer sessions and steal confidential and personal financial information" that could then be used to funnel money overseas, the according to U.S. Attorney for the Western District of Pennsylvania David Hickton.

In October 2011, a Pennsylvania composite materials company was hit, and "within a matter of hours after banking credentials were compromised, hundreds of thousands of dollars were being siphoned from the company's bank accounts," Hickton said.

More than two years later, in November last year, the police department in Swansea, Mass., became a victim of the "Cryptolocker" virus when an employee opened an email that looked like it was from a "trusted source," Hickton said. When "Cryptolocker" strikes, a timer often appears on victims' computer screens, giving them 72 hours to pay hundreds of dollars if they want their files back – from family photos to business records, law enforcement officials said.

In the case of the Swansea police department, the department paid the ransom and contacted the FBI, according to law enforcement officials.

As of April 2014, "Cryptolocker" had attacked more than 200,000 computers, and more than half of those attacks occurred in the United States, Deputy Attorney General Jim Cole said. In addition, in its first two months of operation alone, the criminals behind "Cryptolocker" collected an estimated $27 million in ransom payments from victims, he said.

As for the "Gameover Zeus" virus, security researched estimate that between 500,000 and 1 million computers around the world have been infected with it, and a quarter of the victims are inside the United States, according to Cole. In total, federal authorities believe U.S. victims, often small and mid-size businesses, have lost more than $100 million to "Gameover Zeus."

Federal authorities believe the man running the Eastern European criminal gang responsible for the two viruses is now in Russia, and they are hoping the Russian government will help bring him to justice.

The Justice Department unsealed criminal charges in Pittsburgh, Pa., and in Omaha, Neb., charging Bogachev with computer hacking, wire fraud, bank fraud, money laundering and other violations of U.S. law.

To keep "Gameover Zeus" from being reconstituted, federal authorities have obtained court approval to redirect communications from "malicious servers" to substitute servers, and both U.S. and foreign law enforcement officials seized computer servers integral to "Cryptolocker," authorities said today.

[Jun 02, 2014] Global police operation disrupts aggressive Cryptolocker virus by Tom Brewster & Dominic Rushe

[Jun 02, 2014] The Guardian

US authorities named Russian national Evgeniy Bogachev as the face of a malicious software scheme responsible for stealing millions from people around the world, after a successful campaign to disrupt two major computer networks.

Digital police from across the globe announced they had seized control over the weekend of two computer networks that had been used to steal banking information and ransom information locked in files on infected computers. But they warned people with infected computers to take action now to prevent further attacks.

US and European officials announced they had managed to crack the malicious software (malware) known as Gameover Zeus that had been used to divert millions of dollars to bank accounts of criminals. The authorities have also cracked Cryptolocker – a malware that shutout hundreds of thousands of users from their own computers and ransomed the data.

... ... ...

The US authorities identified Bogachev, of Anapa in the Russian Federation, as Gameover Zeus's main administrator. At a press conference, deputy attorney general James Cole called him "a true 21st-century criminal who commits cybercrimes across the globe with the stroke of a key and the click of a mouse …These crimes have earned Bogachev a place on its list of the world's most-wanted cyber criminals."

According to the FBI's "cyber most wanted" list Bogachev has been using variants of the Zeus malware since 2009 and communicates using the online monikers "lucky12345" and "slavik". Gameover Zeus (GOZ) started appearing in 2011 and is believed to be "responsible for more than one million computer infections, resulting in financial losses in the hundreds of millions of dollars".

"He is known to enjoy boating and may travel to locations along the Black Sea in his boat," according to the FBI.

The Cryptolocker software locked PC users out of their machines, encrypting all their files and demanding payment of one Bitcoin (currently worth around £300, or $650) for decryption.

It's believed Cryptolocker, which the FBI estimated acquired $27m in ransom payments in just the first two months of its life, has infected more than 234,000 machines.

A chief suspect from Russia has been identified, but is still at large, Troels Oerting, head of Europol's European Cyber Crime Centre (EC3) told the Guardian. He said other arrests related to the operation were "in progress".

The global effort to stop the spread of the Cryptolocker ransomware has focused on its delivery method, GOZ. The malware connected infected machines by peer-to-peer connections – in theory making it harder for the authorities to track and stop.

GOZ was designed to steal people's online banking login details, who were usually infected by clicking on attachments or links in emails that looked innocuous. However, it also dropped Cryptolocker on their computers.

"Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals," said Andy Archibald, deputy director of the NCA's National Cyber Crime Unit.

... ... ...

Not-for-profit body Get Safe Online has worked with the NCA to launch a dedicated section of its website to provide guidance and tools, although at the time of publication the website appeared to be offline.

Behind the scenes, the law enforcement groups have been taking over points of control in GOZ's peer-to-peer network: an action known as "sinkholing" in the security world. By doing this, they have been able to cut off criminal control over the infected computers.

Dismantling peer-to-peer operated malware is difficult, but it has been done before: for example one case of a data-stealing virus called ZeroAccess, which infected as many as 1.9m PCs in 2013.

In that case, security researchers from Symantec managed to send lists of fake peers to infected machines, which meant they could no longer receive commands from the controllers of the malicious network, known as a botnet.

Symantec researchers said today that key nodes in GOZ's network had been disabled, along with a number of the domains used by the attackers.

... ... ...

wombatman -> Worried9876

I read it was hackers from both Russia and Ukraine started it off, it is just that now the USA have a filed a case just against one individual who is Russian (Evgeniy Mikhailovich Bogachev).

Clearly however this was not a one-person operation, but cynical people may say the USA would not like to name any Ukrainian defendents in this case. The complaint even names him as the alleged leader of the criminal enterprise.


<quote> "Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals,"</quote>

...with the exception of the criminals von NSA/NCHQ?

Katagami -> Ninetto

...with the exception of the criminals von NSA/NCHQ?

Oh ffs change the record.

This is about criminal organisations screwing over people like me and you. It's got nothing to do with intelligence agencies collecting data and if anything they should be given some credit here.

Wake up and stop attributing blame to something you (probably) know very little about.

tr1ck5t3r -> Jack Jazz

This only affects Windows PC's.

If people want to install a safe operating system on their computer, Ubuntu has achieved the highest rating out of all the operating systems when reviewed by an arm of GCHQ.

And whilst the report focuses on Ubuntu 12.04 LTS, the new Ubuntu 14.04 LTS is available to download with even more privacy and security enhancements.

It wont cost you a penny


Very poor publicity by the NCA. It's not merely this article which is confusing: the NCA's own announcement fails to explain the significance of this "two-week opportunity".

wombatman -> Sheepless

The authorities disrupted the command and control (C&C) servers that were managing the major network distributing the GameoverZeuS Trojan and the Cryptolocker ransomware. It's only a matter of time before those behind the botnet set up new C&C servers and regain control. Though that may even happen in days and not the 2 weeks.

Ortho -> wombatman

Yeah, the 'two weeks' thing is just a random estimate. Not at all helpful.
What they should be saying is 'get your computer protected NOW- and keep it up to date in future'.


On AVG there is a blog post from October 2013 detailing how this came to light Sep'13. Someone above wrote "Symantec may be able to act that fast..." Almost a year after the fact?? Seriously - who is this targeted at?


Some viruses have been undiscovered for several years.

Antivirus is next to useless for zero day exploits.


It's my belief that these viruses come from the security software houses. It is their way of keeping us buying their software. LOL

I don't see what difference 2 weeks will make.

Paul Tunstead -> RobDeManc

Wow, your onto how big pharma works, well done you.

consciouslyinformed -> RobDeManc

And who says a little suspicion does anyone harm? I agree with your concerns, and have stated comments like yours. Worked in marketing companies for a few years prior to university, and this is indeed the type of gnarly stuff companies do, in order to continue making $$$$ from established customers!!


Meh, worst case it needs a fresh install, anyone with half a brain should have back-ups of important stuff.


The sort of person who doesn't have adequate protection is often the same sort of person who, when you ask about what they use for backing up, says, 'backing up?'.


Installing is time consuming. You need everything you are used to as well as the OS. It takes me about 2 weeks to get a formatted drive back to how I like it by re-installing everything.

No hassle with Clonezilla though (about 1 hr to get my machine back). Don't even need to install anything. Just image regularly.


Unfortunately - if you are already infected, as soon as you connect your memory stick or external drive, the trojan will start encrypting its content.

[Feb 07, 2014] Security Researcher Punches Holes In NBC's 'Everyone Going To Sochi Will Be Hacked Story; NBC Doubles Down In Response Techd

Earlier this week, NBC "reported" that journalists and visitors to Sochi are being immediately hacked virtually as soon as they acquire a connection. [AUTOPLAY WARNING.] NBC presented this as something completely inescapable in its report, which purportedly showed NBC journalist Richard Engel's cellphone and laptop being compromised "before he even finished his coffee."

All very scary but all completely false.

Errata Security points out that the entire situation was fabricated.

The story shows Richard Engel "getting hacked" while in a cafe in Russia. It is wrong in every salient detail.

They aren't in Sochi, but in Moscow, 1007 miles away.

The "hack" happens because of the websites they visit (Olympic themed websites), not their physical location. The results would've been the same in America.

The phone didn't "get" hacked; Richard Engel initiated the download of a hostile Android app onto his phone.

...and in order to download the Android app, Engel had to disable a lock that prevents such downloads -- something few users do [update].

While your average person might be lured to sketchy sites supposedly related to the Olympics, most of these people wouldn't have disabled the default locks on their phone, as Robert Graham at Errata Security points out.

silverscarcat (profile),

Stupid people do stupid things!

News at 11!

Anonymous Coward

You trusts mainstream media these days?

[Jan 14, 2014] Chrome 32 launches with better malware blocking

Google today released Chrome version 32 for Windows, Mac, and Linux. The new version includes tab indicators, a new look for Windows 8 Metro mode, and automatic blocking of malware downloads. You can update to the latest release now using the browser's built-in silent updater, or download it directly from

...The third point refers to a change in the company's Safe Browsing service, which warns users about malicious websites and malicious files. Added to the Chrome dev build back in October, Google's browser will now automatically block malware files, letting you know in a message at the bottom of your screen. You can "Dismiss" the message, and Google says you can circumvent the block but it will take more steps than before.

[Jan 14, 2014] N.S.A. Devises Radio Pathway Into Computers

This is not very efficient as it requires close proximity of an expensive relay station to the target (within a couple of miles) and easily defeated by Faraday cage. It's also self-limiting as relay needs to be installed in the vicinity and will disconnect if, say, laptop trevels outside the area. So it probably is used only against high value targets. But the idea is devious. Will those technologies now migrate downsteam ? See a good summary of NYT article at Modern spying 101 How NSA bugs Chinese PCs with tiny USB radios

"What's new here is the scale and the sophistication of the intelligence agency's ability to get into computers and networks to which no one has ever had access before," said James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington. "Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it's never had before."

... ... ...

One, called Cottonmouth I, looks like a normal USB plug but has a tiny transceiver buried in it. According to the catalog, it transmits information swept from the computer "through a covert channel" that allows "data infiltration and exfiltration."

Another variant of the technology involves tiny circuit boards that can be inserted in a laptop computer - either in the field or when they are shipped from manufacturers - so that the computer is broadcasting to the N.S.A. even while the computer's user enjoys the false confidence that being walled off from the Internet constitutes real protection.

... ... ...

"Continuous and selective publication of specific techniques and tools used by N.S.A. to pursue legitimate foreign intelligence targets is detrimental to the security of the United States and our allies," Ms. Vines, the N.S.A. spokeswoman, said.

But the Iranians and others discovered some of those techniques years ago. The hardware in the N.S.A.'s catalog was crucial in the cyberattacks on Iran's nuclear facilities, code-named Olympic Games, that began around 2008 and proceeded through the summer of 2010, when a technical error revealed the attack software, later called Stuxnet. That was the first major test of the technology.

One feature of the Stuxnet attack was that the technology the United States slipped into the Natanz plant was able to map how it operated, then "phone home" the details. Later, that equipment was used to insert malware that blew up nearly 1,000 centrifuges, and temporarily set back Iran's program.

[Jan 02, 2014] Unencrypted Windows Crash Reports a Blueprint For Attackers

January 02, 2014 | Slashdot


An anonymous reader writes "According to Forbes online- up to 1 Billion PCs are at risk of leaking information that could be used as a blueprint for attackers to compromise a network from Microsoft Windows Error Reporting (WER) crash reports that are sent in the clear. Researchers at Websense Labs released a detailed overview of the data contained in the crash reports, shortly after Der Spiegel released documents alleging that nation-state hackers may have used this information to execute highly targeted attacks with a low risk of detection, by crafting attacks specifically for vulnerable applications that are running on the network. Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

Anonymous Coward

Oh, b.s. troll & here's how + why

You CAN security-harden Windows (just as well as anything else) via this guide I wrote up in 1997-2008 -> []

I truly don't *think* that you "p.r. fanboys" for other alternate *NIX based OS understand something - when you post b.s. online, SOMEONE will spot it, and shred you for it... I mean, for YEARS here all you heard was (more or less) "*NIX = invulnerable & Windows = vulnerable"... well, new news: Look @ ANDROID (yes, it's a Linux) - it's being infested FAR FASTER than any Windows EVER WAS in the SAME timeframe. That tell you anything boys?

Well, then these results ought to (as a SINGLE example of many I've seen as a result, especially after CIS Tool usage which makes it cake to do & FUN in a nerdy kind of way):


"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008.
Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, need system local)" from -> []


It works, & is PROOF of my statements here.


P.S.=> Additionally - IF you trust SeLinux? Better think again - look who created it (NSA)... apk


Re:Not everything is about software security. (5, Informative)

If you're really concerned about security on your individual systems, DONT USE WINDOWS. There, fixed it for ya.

Ubuntu does the same, if not worse. []

pport intercepts Program crashes, collects debugging information about the crash and the operating system environment, and sends it to bug trackers in a standardized form. It also offers the user to report a bug about a package, with again collecting as much information about it as possible.

It currently supports

- Crashes from standard signals (SIGSEGV, SIGILL, etc.) through the kernel coredump handler (in piping mode)
- Unhandled Python exceptions
- GTK, KDE, and command line user interfaces
- Packages can ship hooks for collecting speficic data (such as /var/log/Xorg.0.log for, or modified gconf settings for GNOME programs)
- apt/dpkg and rpm backend (in production use in Ubuntu and OpenSUSE)
- Reprocessing a core dump and debug symbols for post-mortem (and preferably server-side) generation of fully symbolic stack traces (apport-retrace)
- Reporting bugs to Launchpad (more backends can be easily added)

Anonymous Coward

This was so obvious 10 years ago (0)

I should consider making a list of obvious things that will prove to be security risks in the future for everyone to be aware of it. This was so expected.

breaking news:
- the NSA tampers with scripts hosted on 90% of the internet impacted.

At least with the gifted nose i have for smelling crap i must say none of the Snowden's revelations made me bat an eye or change any passwords.


Duh (5, Funny)

Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

Wait, you mean my crash reports include a list of devices?!?

The horror.


Reading the article, it says that each time you plug in a new USB device, it automatically sends that information to Microsoft. Even if you don't send the Windows crash reports to Microsoft, your computer is still phoning home each time you install a new USB device.

Duh, how does it search for drivers on Windows Update then? Turn off that functionality and then check, if it still does, then it's news.

Next you will tell me that my browser is broadcasting an IP Address.


Sorry; perhaps I'm being incredibly ignorant here (I'm the AC that posted above), but my understanding was that Windows came with a bunch of generic drivers for devices, and only checked Windows Update for a device if you told it to when installing the device.

Am I wrong?

Windows typically checks Windows Update for drivers for all newly-connected devices, then look for locally-installed drivers if the Windows Update check didn't find anything. Certain devices (like USB mass storage devices, for example)) are installed using local drivers first, as most people want their USB flash drives to work as soon as possible but are willing to wait a few tens of seconds for other devices.

Ignoring privacy concerns, this is a fairly sensible thing: more devices can be "plug and play" and this benefits users. Similarly, while a driver might be included on a CD that comes with a device, it might be outdated -- an online check with Windows Update can retrieve the latest driver.

Anonymous Coward | 7 hours ago

There are two cases where it will do this, both are optional:
1. to install a driver for the device
2. for a shiny graphic in Explorer/Device Stage

You can control both trivially:

Recommended Links

Google matched content

Softpanorama Recommended

Top articles


Top articles




Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2020 by Softpanorama Society. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case is down you can use the at


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019