Pandemiya: Entirely new trojan quietly wheeled into black hat forums, ATM “Hacked” by 14-year School Children and Gameover for CryptoLocker

Pandemiya: Entirely new trojan quietly wheeled into black hat forums
Pandemiya is nasty: it can steal data from forms, create fake web pages and take screen shots to send back to the botmasters who deploy it.

The software is modular and pervasive, and unique thanks to its ability to inject itself into all new processes via the Windows security registry function CreateProcess API… Like other trojans, Pandemiya is foisted on machines through exploit kits and drive-by infections that target vulnerabilities in buggy wares such as Java, Silverlight and Flash.

ATM “Hacked” by 14-year School Children
Two fourteen year old boys were able to access an ATM’s administrator mode using nothing but the default password they found in an online manual.

Although they were not able to access personal details (such as individual account details) or withdraw money, the boys were able to see how much cash was in the machine, how many transactions the machine had handled and other “off-limit” information. As a warning, or a prank, they were also able to change the ATM’s welcome message from “Welcome to the BMO ATM” to “Go away. This ATM has been hacked.”

After finding the weakness in the ATM’s security, the boys reported their findings to the Bank of Montreal’s local branch. After initial scepticism, the branch manager acted on the information and reported the flaw to the bank’s security department. He even gave the kids a letter to explain why they would be late returning to class.

Although fortunately, in this case, the kids were not malicious and no information or cash was stolen; it is an important reminder to us all to never leave those default passwords unchanged.

Gameover for CryptoLocker
Today the U.S Justice Department announced the successful takedown of the Gameover Zeus Botnet, which is a malware that steals bank credentials as well as acts as a distribution method for other malware. One of most well-known malware infections distributed by the Zeus Botnet, or ZBOT, malware was the ransomware called CryptoLocker. Through the combined efforts of the FBI, international law enforcement counterparts, and various private sector companies, the Gameover Zeus Botnet was successfully shutdown, servers seized, and the identity of one of its leaders, Evgeniy Mikhailovich Bogachev, was disclosed.

As was discovered back in September 2013, the main distribution method for CryptoLocker were ZBOT executables disguised as PDF files being mass emailed to company email addresses. These emails pretended to be from tax companies, Fedex, UPS, Xerox, and other business related organizations. Once a ZBOT attachment was opened, ZBOT would be installed and would eventually download and install CryptoLocker on the infected machine.

All in all, there is no doubt that this was a hugely successful operation and one that benefits everyone who uses a computer, but is it really the end of CryptoLocker? Furthermore, are the creators of the Zeus Botnet and CryptoLocker one and the same? What we do know is that McAfee, one of the companies involved with the takedown, prematurely posted a blog post about Operation Tovar before it was officially announced. This blog post was only public for a brief period before it was taken down. Unfortunately, it may have been enough time to let the Gameover or CryptoLocker developers know what was going on as the CryptoLocker Decryption Service page was replaced with a simple message. “stupid mcafee “. Unfortunately, this page is no longer accessible and showing a “Bad Gateway” message.

For now, more information about Operation Tovar can be found in the official United States Department of Justice complaint, their press release, and other court documents regarding Operation Tovar.

This entry was posted in Antivirus and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>