Tag: malware

In our previous article we described a new VB malware, named VBKlip by us, that was replacing a Bank Account Number that was copied to the Windows clipboard. In order to check whether your computer is infected you have to just simply copy a correct Bank Account Number (e.g.

) and paste it into the text editor (e.g. Microsoft Word or Notepad) and compare the pasted number with the copied one. If they are different then your machine is most probably infected with the described malware strain.
Read more

At the start of October we started receiving reports of propagation of a new strain of unusual malware. This malware was dedicated for Polish online banking users and implemented a technique new to our market. We received a sample of this malicious software, written in Visual Basic 6. It used a fairly simple mechanism in order to steal money: whenever a user copied a text that contained a bank account number to the clipboard it switched that account number to a new one. This account was of course controlled by the cybercriminals.
Read more

CERT Polska has created a technical report about a KINS/PowerZeus infection affecting Polish online banking users. In July 2013 we obtained information about an attack on Polish online banking users. This attack utilized a new strain of malware, which had similar abilities to the previously described ZeuS family, e.g. changing a page’s content on-the-fly. The malware version described here stole user credentials, when the user logged into the online banking site. Because of the fact that some online banking systems in Poland use text messages based on One Time Passwords, cybercriminals found a way to also steal them. When a user enters credentials it displays a message, supposedly from the bank, that she has to install a special Android application in order to make her transactions more secure. As a result the malware controls both the phone and user machine and the botmasters are able to issue a wire transfer. This report contains details about that operation, technical description of both malware samples, dedicated for Windows and Android, and recommendations for users
Read more

During the summer holidays we observed an increased infection rate of ransomware. We mentioned this type of malware a few times already in the past (here is a description of similar malware and here is information detailing how to remove it from your computer). CERT Polska was able to acquire three samples of this malware from three different sources. In every case we were able to determine the infection vector. Most probably, all of the three samples were created by the same group of cybercriminals. One of the samples came from a hacked .gov.pl website in collaboration with CERT.GOV.PL, second sample was from a hacked website in .eu domain and the last sample was from a malicious advertisement from a .pl website. A case of malware on the governmental website was also a subject of our previous blog post.
Read more

On 30th of July, 2013 NASK terminate its agreement with a registrar, Domain Silver, Inc. We described the reason for that decision in a detailed technical report. Today we publish an updated version of the report with our sinkhole statistics. These statistics were made from 20 different botnets sinkholed by our servers. All of them used domains registered through Domain Silver, Inc. These are not all of the botnets that used Domain Silver as the registrar, but only ones that were sinkholed as of 23rd of July 2013. The botnet malware included ZeuS ICE IX, Citadel, Andromeda/Gamarue and Dorkbot/NgrBot. Among them is also the Citadel plitfi botnet, the takedown of which we described previously in a detailed report. Highlights from the gathered data are:
Read more

Today we publish an overview of domains registered through Domain Silver, Inc, a registrar operating in the .pl domain. This Registrar started operating in May 2012. Since that time, the CERT Polska team started to observe a large increase in the amount of malicious domains registered in .pl and to receive many complaints concerning domains registered through Domain Silver. Most of the malicious domains present in the .pl were registered through Domain Silver. In May 2013, dozens of domains used for botnet C&C purpose were seized and sinkholed by NASK and CERT Polska. Following further unsuccessful attempts to remedy the situation, NASK (the .pl ccTLD registry) decided to terminate its agreement with the Registrar. In the following sections of the document we explain what the malicious domains registered were used for (as of 9th July 2013), what botnets used the domains and why they posed a threat to the Internet community.
Read more

Recently we blogged about a new threat to Polish e-banking users called “E-Security”. When a user, whose machine was infected, tried to access her internet banking site she was greeted with a message that instructed her to install “E-Security Certificate” application on her Android phone. This “certificate” was nothing more than a malware capable of forwarding short messages to the attacker. As the attacker had a login, password to the banking transaction system (this is because initially the user machine had to be infected) and could access the SMS one time password it was easily possibly for the attacker to initialize an unauthorized wire transfer from the victim’s account.

We then speculated about the other possible C&C communication channel. Instead of sending short messages via SMS, the malware could send all the messages using the HTTP protocol to a C&C server. This article presents a history of this malware that we were able to recover based on 10 different samples that claimed were four different versions. All of the samples were created for the Android platform.

Read more

At the beginning of 2012, we wrote about the emergence of a new version of ZeuS called ZeuS-P2P or Gameover. It utilizes a P2P (Peer-to-Peer) network topology to communicate with a hidden C&C center.This malware is still active and it has been monitored and investigated by CERT Polska for more than a year. In the second half of 2012, it directly affected the Polish users, namely that of internet banking.
Read more

CERT Polska and CERT.GOV.PL recently discovered a website in the gov.pl domain that has been a part of malware campaign at least since the beginning of May 2013. The page contained a JavaScript code that added a hidden iframe which redirected to the exploit kit. Next, with the help of “Smoke Loader”, two binaries containing malware were downloaded. The first binary was a FakeAV software, which forced the user to buy a “full version” with the promise that it will remove all of the imaginary problems with her machine. The second binary contained a Kryptik trojan, which steals information from a large variety of FTP, SSH and WWW clients. It also steals SSL certificates used to sign code and performs a dictionary attack on the current logged user account. Both of them contain various techniques which are meant to prevent disassembly and debugging.
Read more

Recently, we obtained a new Android malware sample, which is targeting Polish e-banking users. The application is called “E-Security” and its filename is

. It also has a security-related icon shown on the left. The malware is relatively simple, but effective at achieving its goals. It allows an attacker to redirect text messages containing one-time passwords from the victim’s phone. The application itself consists of only one screen informing users (in Polish) that the level of e-banking security has been heightened and certain actions are required …
Read more