eBay Web attack using custom- built botnet | eBay users "ALERT"

Seeding genuine web sites with malware is nothing new, but the practice has been gathering steam this year.The site was compromised by SQL injection vulnerabilities and then IFrame attack code is inserted.Yet another sophisticated Web-based attack against eBay and its users is being investigated by a Tel Aviv-based security vendor that discovered a similar attack two months ago involving a custom-made bot designed to steal accounts.Ofer Elzam, Aladdin Knowledge Systems’ director of product management, says his firm has determined in the last few days that at least two Web sites, one called Save Our Planet and another called Nova Radio, appear to have been compromised with malicious code that combines to launch an attack against a site visitor. Aladdin Knowledge Systems Ltd.(NASDAQ: ALDN) announced that the Aladdin eSafe Content Security Response Team (CSRT) has uncovered significant new details surrounding the eBay botnet attack it first discovered on September 6, 2007 .The attack, which is one of the first of its kind to employ extremely complex, multi-stage attack methods, performs a distributed and covert brute force attack on eBay accounts in an effort to obtain personal information and/or items sold/purchased via the eBay site. Two new details provided by the Aladdin eSafe CSRT were made available this afternoon:

The goal of the re-attack today is to combine code to break in through the browser to the victim’s desktop and install a Trojan to collect eBay user account information, if it’s found, and connect to eBay to use that account information to commit fraud. “There are a chain of sites that work together,” says Elzam. “One Web page uses a trick with JavaScript to open a size-zero window, which takes content from a third-party site.” Elzam says Aladdin hasn’t yet been able to reach the operators of the Save Our Planet and Nova Radio sites- and notes that forty more Web sites may be tied to this attack, which is very fluid and changing-- but it has been in touch with eBay.
Read more...

“Storm Trojan” Illustrated | Security Response Lab | Cyber Cops from Symantec

Cyber crime never sleeps — so the crime-busters have to work round-the-clock too. Which is why U.S.-based Net security leader Symantec, best known for the Norton anti-virus products, has just set up in Pune, its first "24 x 7" Security Response Lab. It is equipped to keep tabs on the world's Internet traffic, monitoring 40,000 of its own sensors buried in cyberspace, across 180 countries, tracking 150 million anti-virus systems — and sending two million dummy e-mails to test the Web's defences.

The lab work is done in four shifts by Indian security specialists or Cyber cops, backed by Symantec's 2000-strong India-based development muscle.

Why Pune? "Because of the strong security expertise and programming skills available in India," explains Anil Chakravarthy, vice-president for India Technical Operations. "We have groups here who are experts in anti-fraud operations," says Vincent Weafer, Symantec's U.S.-based Senior Director (Global Operations).

In fact, Pune engineers have filed four global patents in recent months in the area of Net security. And Vishal Dhupar, Symantec India's Managing Director, feels: "The India-based Security Response Lab is a major contributor to our global response to Net threats — and will also help us track the security landscape in the country from a global vantage point."

The Pune Centre will work in tandem with response labs in seven other locations spread across North America, Europe and the Far East as they try and neutralise viruses, spam (unsolicited mail), phishing (trying to steal sensitive information) and `bots' (robot-like invaders into unsuspecting computers)... often within minutes of the threats appearing.

The Pune lab is the only one that works 24 hours, 365 days of the year.
Symantec illustrates the "Strom Trojan findings in the following link
http://www.symantec.com/content/en/us/home_homeoffice/media/flash/peacomm.html

The threat searches for some particular hashes (searches are done by hash, not by specific filename) and eventually it receives a reply that includes some 'meta tag' information. The meta tag information is encrypted and contains information on where/what to download (e.g. Mixor.Q, Trojan.Abwiz.F).
Read more...