Russian Gang Hijacking PCs in Vast Scheme
http://************/627v5j
A criminal gang is using software tools normally reserved for computer
network administrators to infect thousands of PCs in corporate and
government networks with programs that steal passwords and other
information, a security researcher has found.
The new form of attack indicates that little progress has been made in
defusing the threat of botnets, networks of infected computers that
criminals use to send spam, steal passwords and do other forms of
damage, according to computer security investigators.
Several security experts say that although attacks against network
administrators are not new, the systematic use of administrative
software to spread malicious software has not been widely seen until now.
The gang was identified publicly in May by Joe Stewart, director of
malware research at SecureWorks, a computer security firm in Atlanta.
Mr. Stewart, who has determined that the gang is based in Russia, was
able to locate a central program controlling as many as 100,000 infected
computers across the Internet. The program was running at a commercial
Internet hosting computer center in Wisconsin.
Mr. Stewart alerted a federal law enforcement agency that he declined to
identify, and he said that it was investigating the matter. Although the
original command program was shut down, the gang immediately
reconstituted the system, he said, moving the control program to another
computer in the Ukraine, beyond the reach of law enforcement in the
United States.
The system infects PCs with a program known as Coreflood that records
keystrokes and steals other information. The network of infected
computers collected as much as 500 gigabytes of data in a little more
than a year and sent it back to the Wisconsin computer center, Mr.
Stewart said.
One of the unique aspects of the malicious software is that it captures
screen information in addition to passwords, according to Mark Seiden, a
veteran computer security engineer. That makes it possible for gang
members to see information like bank balances without having to log in
to stolen accounts.
Mr. Stewart’s discoveries are evidence that while the botnet problem is
now well understood, botnets are still a widespread threat.
“The rate of infection is still high, but concern among corporations is
low,” said Rick Wesson, a botnet investigator at Support Intelligence, a
security consulting firm in San Francisco. “Many corporations seem to
think it’s O.K. to be infected several times a month.”
Mr. Stewart and other computer security investigators have previously
described the activities of the gang that uses the Coreflood program.
But Mr. Stewart plans to offer new details about the gang, which has
operated with impunity for several years, at the Black Hat Briefings
computer security conference that begins Thursday in Las Vegas.
As part of his investigation, Mr. Stewart charted the rate of computer
infections at a state police agency and a large hotel chain. Both were
victims of an outbreak that began after the gang obtained the password
and login information of their network administrators. In both cases
hundreds or thousands of computers were infected within minutes or hours.
Mr. Stewart would not name the organizations because of the continuing
law enforcement investigation.
In these examples as well as a range of others, the gang infected a
machine belonging to an administrator and then used Microsoft
administrative tools to infect all the computers for which that person
had responsibility, Mr. Stewart said.
The new attack is a byproduct of the way modern computer networks are
administered, where authority is centralized and software updates for
thousands of machines are automated.
“The great thing about this system is that from one computer it is
possible to push out updates to all machines in a corporate network at
once,” Mr. Stewart said. “This is a useful tool that Microsoft has
provided. However, the bad guys said, ‘We’ll just use it to roll out our
Trojan to every machine in the network.’ ”
A Microsoft spokesman declined to comment on the attacks.
Mr. Stewart said that the gang behind the Coreflood program was
responsible for 378,000 infections over 16 months. In each case the
infected computer would capture and transmit personal information to a
centralized database that kept track of the “spies” in the network.
In his Black Hat presentation, Mr. Stewart plans to say that he believes
the Russian gang was behind a successful theft of money from the bank
account of a Miami businessman, Joe Lopez.
In April 2004, someone made an unauthorized wire transfer of $90,348
from Mr. Lopez’s account with Bank of America to Parex Bank in Riga,
Latvia. Of that amount, $20,000 was successfully withdrawn by a person
using a false identity. The Coreflood program was found on Mr. Lopez’s
computer.
After discovering the control program in Wisconsin, Mr. Stewart tracked
the online activities of some gang members in a Russian city that he
declined to identify because of the investigation.
He said translations of some entries on the blogging site LiveJournal
had led him to believe that one member of the gang had died, but that
others remained active. He said that he had provided investigators with
a wealth of information about the group from members’ online discussions
and other material he had collected.
“If the Russians are sincerely interested in tracking these guys down, I
think it’s possible,” he said.
--
Civis Romanus Sum
Reply With Quote