Comments for TrustDefender Labs http://www.trustdefender.com/blog Technical Updates from the TrustDefender Labs Thu, 28 Jan 2010 16:32:42 +0000 http://wordpress.org/?v=2.9.2 hourly 1 Comment on The nastiest ebanking trojan mebroot just got nastier by LLoyd http://www.trustdefender.com/blog/2009/07/09/the-nastiest-ebanking-trojan-mebroot-just-got-nastier/comment-page-1/#comment-256 LLoyd Thu, 28 Jan 2010 16:32:42 +0000 http://www.trustdefender.com/blog/?p=176#comment-256 I am infected with the same virus. What shall one do?? Thanks Lloyd I am infected with the same virus. What shall one do??
Thanks
Lloyd

]]> Comment on New Mebroot/Sinowal/MBR/Torpig variant in the wild – virtually undetected and more dangerous than ever by Elric http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/comment-page-1/#comment-253 Elric Wed, 20 Jan 2010 20:32:03 +0000 http://www.trustdefender.com/blog/?p=125#comment-253 Does the drive-by infection require admin privileges to work? Does the drive-by infection require admin privileges to work?

]]> Comment on The nastiest ebanking trojan mebroot just got nastier by Josh http://www.trustdefender.com/blog/2009/07/09/the-nastiest-ebanking-trojan-mebroot-just-got-nastier/comment-page-1/#comment-247 Josh Mon, 23 Nov 2009 23:14:14 +0000 http://www.trustdefender.com/blog/?p=176#comment-247 This is the only site on the net covering the latest in Mebroot virus infections. I am also investigating a system that just got a Mebroot infection two days ago, and it's extremely nasty. I've worked in IT and been hacking Windows internals for 15 years and just can't believe how bad this one really is. What are the removal steps for this latest iteration? This is the only site on the net covering the latest in Mebroot virus infections. I am also investigating a system that just got a Mebroot infection two days ago, and it’s extremely nasty. I’ve worked in IT and been hacking Windows internals for 15 years and just can’t believe how bad this one really is.

What are the removal steps for this latest iteration?

]]> Comment on MBR/Mebroot/Sinowal/Torpig is back – better than ever by Jon Austenaa http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-%e2%80%93-better-than-ever/comment-page-1/#comment-242 Jon Austenaa Sun, 01 Nov 2009 00:58:37 +0000 http://www.trustdefender.com/blog/?p=65#comment-242 Norton Internet Security 2009 is NOT one of the best Antivirus Engines at all. At work I've had lots of problems, like Office Word closing if changing resolution and NORTON runs, lisence problems needing to download some fix app to fix, and lastly network functionality broken after an unsuccessfull Norton Internet Security uninstall. The Norton remnants in Add/remove programs control panel couldn't find some path. After checking Symantecs website I was directed to a page that complained about some required to download an ActiveX component. This component failed to install and I had to download a file instead. That file wouldn't run due to an invalid signature error. To fix that I had to register a ton of files with regsvr32. Im reccommending and installing Avast at work now. http://www.jooh.no/root/pix/Norton_problems/ Norton Internet Security 2009 is NOT one of the best Antivirus Engines at all. At work I’ve had lots of problems, like Office Word closing if changing resolution and NORTON runs, lisence problems needing to download some fix app to fix, and lastly network functionality broken after an unsuccessfull Norton Internet Security uninstall. The Norton remnants in Add/remove programs control panel couldn’t find some path. After checking Symantecs website I was directed to a page that complained about some required to download an ActiveX component. This component failed to install and I had to download a file instead. That file wouldn’t run due to an invalid signature error. To fix that I had to register a ton of files with regsvr32. Im reccommending and installing Avast at work now.

http://www.jooh.no/root/pix/Norton_problems/

]]> Comment on A first look at Microsoft’s free Antivirus Engine Security Essentials (MSE) by antivirus market share | ANTIVIRUS http://www.trustdefender.com/blog/2009/10/01/a-first-look-at-microsoft%e2%80%99s-free-antivirus-engine-security-essentials-mse/comment-page-1/#comment-241 antivirus market share | ANTIVIRUS Sat, 31 Oct 2009 07:48:43 +0000 http://www.trustdefender.com/blog/?p=222#comment-241 [...] TrustDefender Labs » A first look at Microsoft's free Antivirus … [...] [...] TrustDefender Labs » A first look at Microsoft's free Antivirus … [...]

]]> Comment on New Mebroot/Sinowal/MBR/Torpig variant in the wild – virtually undetected and more dangerous than ever by STeven http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/comment-page-1/#comment-227 STeven Fri, 16 Oct 2009 17:09:10 +0000 http://www.trustdefender.com/blog/?p=125#comment-227 If i get a notice from my ISP i have torpig, how can i find it on a network with over 300 pc If i get a notice from my ISP i have torpig, how can i find it on a network with over 300 pc

]]> Comment on A first look at Microsoft’s free Antivirus Engine Security Essentials (MSE) by Mint Technology - Blog | Antivirus makers applaud, mock Microsoft Security Essentials http://www.trustdefender.com/blog/2009/10/01/a-first-look-at-microsoft%e2%80%99s-free-antivirus-engine-security-essentials-mse/comment-page-1/#comment-226 Mint Technology - Blog | Antivirus makers applaud, mock Microsoft Security Essentials Fri, 09 Oct 2009 23:16:08 +0000 http://www.trustdefender.com/blog/?p=222#comment-226 [...] TrustDefender Labs » A first look at Microsoft’s free Antivirus … [...] [...] TrustDefender Labs » A first look at Microsoft’s free Antivirus … [...]

]]> Comment on URLZone – a disaster waiting to happen by TrustDefender Labs » URLZone – a desaster waiting to happen (via postie) | Kantaas.Com http://www.trustdefender.com/blog/2009/10/08/urlzone-a-desaster-waiting-to-happen/comment-page-1/#comment-224 TrustDefender Labs » URLZone – a desaster waiting to happen (via postie) | Kantaas.Com Thu, 08 Oct 2009 17:47:45 +0000 http://www.trustdefender.com/blog/?p=227#comment-224 [...] TrustDefender Labs » URLZone – a desaster waiting to happen [...] [...] TrustDefender Labs » URLZone – a desaster waiting to happen [...]

]]> Comment on URLZone – a disaster waiting to happen by C http://www.trustdefender.com/blog/2009/10/08/urlzone-a-desaster-waiting-to-happen/comment-page-1/#comment-222 C Thu, 08 Oct 2009 14:56:55 +0000 http://www.trustdefender.com/blog/?p=227#comment-222 Two factor authentication at the online account level won't work, but maybe some kind 2 factor confirmation would. Just an idea, but maybe banks could implement a system that allowed users to set their own limit as to how much can be transferred out (something that isn't visible or accessible from their online account). Currently we see many banks have something like a $10,000 limit before a flag is raised. So the miscreants take out numerous $9,975 transactions as to not trip a wire and the transfers would go through without a hitch. There was one article I read where a company discovered what was happening and told the bank to disallow the transactions till they figured out what was going on... and several hours later the miscreants successfully took out more money! So let's say a business says they wanna set a limit/flag of $2,000. Any transaction beyond that $ ammount would require the bank to send a notice requiring confirmation that the transaction is in fact legitimate. The confirmation could be as automated as email. They could call by phone or send use SMS messages. Miscreants wouldn't know the $2,000 flag and hopefully they haven't also comprised the users phone or email (phone far less likely than email). Further, if a number of transactions are attempted in a certain time period, the bank could make a personal call to the account holder to further ensure an attacker isn't attempting something fishy. Botnets are also tend to be coded with large scope in mind so catering to individual comprised accounts would take a lot more work. And if there is one thing we know, these guys go for low hanging fruit. Problems with this? Larger accounts may make a lot more transactions. But honestly, those aren't the targets. Small to midsize businesses are. And they should have an idea of the kinds of flags that need to be set to offer a good balance of convenience and security. Banks also won't want to implement this system as it would take time and money. But that's because they try to (and in most cases do) stick the business with loss. Maybe some are working on a system like this? I wouldn't bet money on it personally. It will affect them in the long run though, if banks customers are losing all their money, then the bank is technically losing money too. They gotta invest with something after all. So that was really long comment there. I'm gonna get back to work now :) Great post by TrustDefender as always! Two factor authentication at the online account level won’t work, but maybe some kind 2 factor confirmation would.

Just an idea, but maybe banks could implement a system that allowed users to set their own limit as to how much can be transferred out (something that isn’t visible or accessible from their online account). Currently we see many banks have something like a $10,000 limit before a flag is raised. So the miscreants take out numerous $9,975 transactions as to not trip a wire and the transfers would go through without a hitch. There was one article I read where a company discovered what was happening and told the bank to disallow the transactions till they figured out what was going on… and several hours later the miscreants successfully took out more money!

So let’s say a business says they wanna set a limit/flag of $2,000. Any transaction beyond that $ ammount would require the bank to send a notice requiring confirmation that the transaction is in fact legitimate. The confirmation could be as automated as email. They could call by phone or send use SMS messages. Miscreants wouldn’t know the $2,000 flag and hopefully they haven’t also comprised the users phone or email (phone far less likely than email). Further, if a number of transactions are attempted in a certain time period, the bank could make a personal call to the account holder to further ensure an attacker isn’t attempting something fishy.

Botnets are also tend to be coded with large scope in mind so catering to individual comprised accounts would take a lot more work. And if there is one thing we know, these guys go for low hanging fruit.

Problems with this? Larger accounts may make a lot more transactions. But honestly, those aren’t the targets. Small to midsize businesses are. And they should have an idea of the kinds of flags that need to be set to offer a good balance of convenience and security.

Banks also won’t want to implement this system as it would take time and money. But that’s because they try to (and in most cases do) stick the business with loss. Maybe some are working on a system like this? I wouldn’t bet money on it personally. It will affect them in the long run though, if banks customers are losing all their money, then the bank is technically losing money too. They gotta invest with something after all.

So that was really long comment there. I’m gonna get back to work now :) Great post by TrustDefender as always!

]]> Comment on In-depth analysis of Mebroot/Torpig trojan available by Paul Braga http://www.trustdefender.com/blog/2009/07/14/in-depth-analysis-of-mebroottorpig-trojan-available/comment-page-1/#comment-220 Paul Braga Sun, 04 Oct 2009 23:40:51 +0000 http://www.trustdefender.com/blog/?p=190#comment-220 I'm an IT Consultant/VAR and Calif licensed PI, and am very interested in security issues. Saw the googletechtalk in which Richard Kemmerer talked about the research project at UC Berkeley that took over a botnet. He talked about mebroot and torpig and their finding over 300 fake bank login pages for phishing. I would very much appreciate receiving the analysis of mebroot/torpig. A client that has PCI compliance requirements has said they'll worry about it if anything happens. It's a difficult situation and I'd like to make the case for why this is such risky approach. regards, Paul I’m an IT Consultant/VAR and Calif licensed PI, and am very interested in security issues. Saw the googletechtalk in which Richard Kemmerer talked about the research project at UC Berkeley that took over a botnet. He talked about mebroot and torpig and their finding over 300 fake bank login pages for phishing.

I would very much appreciate receiving the analysis of mebroot/torpig.

A client that has PCI compliance requirements has said they’ll worry about it if anything happens. It’s a difficult situation and I’d like to make the case for why this is such risky approach.

regards,

Paul

]]>