No Flame Wars allowed!
Discuss hardware.
Don't attack people!
Apple and Windows Security Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 08/11/2010 12:01:11 PM PDT by Swordmaker
The BotNet is spreading a very hard to detect Trojan plug-in for Internet Explorer... that empties UK bank accounts at a specific bank. It leaves approximately $50 equivalent in the account but when a victim checks his account online, it puts up a FAKE page showing all the money is still in the account.
New ‘Sophisticated’ Trojan, Which Is Undetectable, Has Emptied Bank Accounts Worldwide
by Nicholas Deleon on August 11, 2010
Hold onto your hats. A new version of the Zeus trojan, called Zeus3, has wreaked havoc on thousands of bank accounts worldwide, stealing just over $1 million. The best part? There’s pretty much no way to detect the trojan if it’s on your system. Hooray for humanity, right?
The trojan first popped up last month, and has drained more than 3,000 bank accounts.
M86 Security, the first group to discover the trojan, says:
We’ve never seen such a sophisticated and dangerous threat. Always check your balance and have a good idea of what it is.
The last thing you want to do is hear a bank account-draining sophisticated trojan.
Oh, it only affects Windows systems. But you knew that already.
The scariest part is that the trojan, after clear out your bank account, serves up a fake bank statement page. It looks like you have all of your money, but you actually have $50 left in your entire account.
Again, no current anti-malware software can detect the trojan, so for the time being you’re on your on.
I suggest we all stop using the Internet to be safe. An overreaction? Yes, obviously, but this actually sounds like a nasty bit of malware.
Beware!
If you want on or off the Mac Ping List, Freepmail me.
BTTT!
There is little in the analysis by M86 that leads me to believe that this attack would not work on OS X:
http://www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf
A big piece of this attack is social engineering. Apparently, the British are a very gullible people.
But then again, we knew that already.
A good reminder to people that a virtual machine is still a machine that can get infected like any other Windows installation. The host doesn’t automatically put up some magic protection for the VM, and being on Mac hardware doesn’t magically protect Windows running in Boot Camp.
Plus with the host/client integration these days, and that OS X can now natively read Boot Camp partitions, VMs could become an unexpected vector for stuff the can harm your Mac.
I think the key thing here is NOT to use your virtual Windows installation on your Mac for ANYTHING that interfaces with the Internet... do that from the Mac OSX side. Keep the Windows sand boxed, protected from harmful malware.
"In this case, the cybercriminals used the Eleonore Exploit Kit 1.4.1, which M86 Security Labs experts researched a year ago and continue to update regularly."Eleonore Exploit Kit takes advantage of several vulnerabilities that have remained unpatched in Internet Explorer, Adobe Reader, and Java. But it starts with the vulnerability in IE. It DOES require the user to download and execute the file to be infected, though, so it is a TROJAN.
That's an excellent idea. How do you do that? I want it to work like my 2nd internal hard drive which is used for storage only. I suppose a virus could hop over if I save something infected off the web to it, but I NEVER load ANY apps on my 2nd internal hd.
I'm waiting to be able to afford Win 7 because the lady at apple thought it would be better than running all the XP updates since I got my pc in 2003. I hope it is compatible with my current Win only apps.
If I can button up the Win side of the Mac, I won't have to worry about AV, a bonus.
Exactly why I think this attack would work on OS X. It requires a browser vuln and social engineering.
Both Safari and Mozilla have vulnerabilities that could be exploited. The exploit depends more on Javascript than anything else, and that’s why (once again) I tell people that Javascript is a huge security issue, only slightly less than ActiveX.
For many financial applications, this is not an option.
The problem herein for Mac users is that too much financial s/w is not being ported to the Mac, which is why they’re running goddamned Windows in a VM in the first place.
This sounds like an inside job, at least in part.
- Only one bank affected
- This wasn’t a simple username & password stealing Trojan. The C&C server supplied the bots with valid, appropriate Java transactions to be posted against the bank’s site in real-time. There was no guesswork in what was necessary to be sent for the desired result.
- The bank recently sacked two senior programmers - “Michael Bolton” and “Zamir Naga, Nag-, Naga-, NaGonnaWorkHereAnymore”
A while back some lady in the US not only got suckered by a 419 scam, but since she was a city employee she used city funds to pay the scammer, expecting to get it all back and more so nobody would be the wiser. Gullibility knows no borders.
Sometimes you need it to do that, especially for updates. But there are things you can do to cut your exposure. I definitely don't do any regular surfing through the VMs.
Is the bank missing a printer?
Someone took my stapler.
Time to unplug the cat5. ;’)
> That's an excellent idea. How do you do that?
The way I do it is by setting the Win guest VM's "network" settings to "Private network with host". That is, the VM sees a network, but the only other machine on it is the Mac. That way I can transfer files and whatnot, but without exposing the VM to the internet.
When I need to run Windows updates, I switch the setting to "NAT" so that the VM can see the internet during the update process. Then I switch it back to "Private".
Piece of cake. I'm using VMware Fusion on the Mac, BTW.
Notice the common thread... “running Windows”.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.