ZeusiLeaks Archives File 002: Alarm Bells

The holidays are over and it’s time for the second file plucked from the ZeusiLeaks Archives! If you missed the first one, it’s here.

Quick reminder:

WikiLeaks, the largest leak of data the world has seen? Nonsense! Trojans like Zeus lurk on millions of personal, corporate and government PCs, stealing data 24 by 7. Everything you do online – either private or work related – is sent to a mothership half across the globe.

So… Get ready to the next instalment of mind boggling discovery!

***

Lets say you want to back up your important documents and files. Your entire PC, for that matter. It’s a few gigabytes, so it can fit a DVD or one of those portable high-volume disk drives. Then you stuff the disk in a deep drawer so your kids won’t find it and use it as a Frisbee. And then if the documents are really important, you can regularly update the backup.

Which is a bit of work. So how about cloud based backup service?

Cloud based is a savvy word for Internet based. The idea is for you to do your backup online, and should a lightning bolt fry your PC, or your laptop fall into a lave spitting volcano, no worries! User name, password – and you can download all your lost files into a new PC.

Now, what happens if your PC has a Trojan? Well, if the Cybercriminals operating the Trojan find you interesting, they now have full access into your files and documents.

Have a look at the (censored) screenshot attached; it’s a user logging into a cloud based backup service. There’s a Trojan that logged in the sessions’ information. Lets read it: first you can see the Trojan type, Zeus, and the hash of that Trojan. A Hash is a bit like a signature: if we run this string against a Virus Checker such as VirusTotal we see that already 90% of Anti Virus companies have a signature against it.

The next few fields are the hijacked PC name, followed by the website the user logs into (in this case it’s the the name of the cloud based service), timestamp (just before last Christmas), and IP address in the US.

At the bottom you can see the stolen credentials: user name and password. With these I can log into the site and request the backed up files.

Hey, Uri, you skipped a line. There’s also something called “user input”. What’s this all about?

Aha.

The very early Trojans were simple keyloggers. They just grabbed whatever the user was typing. But keylogging isn’t very useful: once collected it’s hard to parse, and banks came up with all sorts of virtual keypads to prevent you from actually stroking any keys. Trojans developed far more useful ways to grab important data, which I won’t get into right now.

But keylogging still exists, and here’s a perfect example of why it may still be useful. In this particular example, as the user was typing his user name and password, he ALSO at the same time typed an email, or chatted with someone online. And the content of THAT conversation is even more interesting than the backup thingy.

“When you come into the house to enter the alarm clod on the keypad, you will put in the code as mentioned before. The keypad will read: System Armed 2. This is to indicate that the #2 system, Dan’s office and the garage are still armed, and that the #1 system, [censored name] house is unarmed.

Er… Right.

Yeah, you got it. Not only our merry fraudsters have full access to this victim’s PC; they can also neutralize the alarm code and break into his house.

Happy new year!

***

The public cloud. A vast, rapidly growing universe promising grand opportunities and unparalleled efficiencies. You probably use it already, or if not, you will soon.

But like any new world, exploring the public cloud is wrought with peril. There be dragons, monsters of the deep, lurking in darkness and praying on the innocent. Your public cloud service provider takes care of your business, but when it comes to security, it’s still nascent, undeveloped, and in many cases utterly exposed. First attempts are made: Google announcing SMS authentication for its popular Google Apps was indeed a giant leap forward, but still many cloud services authenticate you with just static passwords… And we all know what they are worth.

What happens when a Trojan steals your public cloud password? Do you value your data? Can taking over your cloud identity put you in trouble? Or do you want to demand stronger security from your public cloud provider?

Think about that while you’re browsing through the next WikiLeaks cable.