Hi all,
I just spent about 4 days dehacking a site. It had, roughly 2000 viruses (thank you RBN) - it was attempting to infect anyone who came by. This same virus hit several (very large companies).
Funny thing is, its an old attack. Circa 2004. The attack has an effect on unpatched systems.
I dug in deeper and found other nasty viruses sitting in the email (for a long time). We cleaned it all out and the system became reinfected overnight. We started over - assessment? root kit.
My client moved to a new host, we used JoomlaCloner to move it (after we cleaned it again... ugh) and as of time of writing its up and running.
Why is this important? Because the same "Russian Business Network" who is potentially responsible for 50% of the phishing scam sites and likely were the destination for my clients hijack, are at it again. I read this today and felt it was worth sharing:
FORD, MA - April 21, 2008
------------------------------------------------------------------------------------------------
Source:
http://www.emc.com/about/news/press/2008/20080421-02.htm
RSA, The Security Division of EMC (NYSE: EMC), has uncovered a new technique that combines phishing and Zeus Trojan attacks to steal personal information and spread financial crimeware.
Discovery Details
* The RSASM Anti-Fraud Command Center (AFCC) recently uncovered a new series of attacks from the Rock Phish group, launched in order to infect unsuspecting users with financial crimeware.
* The Rock Phish group is a set of criminals believed to be based in Europe who have been targeting financial institutions worldwide since 2004.
* Rock Phish attacks are estimated to account for more than 50% of phishing attacks world-wide and to be responsible for the theft of tens of millions of dollars from users' bank accounts. However, until now, the group has not deployed financial crimeware as part of its attack methodology.
* The new Rock Phish attacks combine both phishing techniques and crimeware. Victims of these phishing attacks not only have their personal data stolen – but they are then also infected with the Zeus Trojan. Once infected, the Trojan is capable of stealing additional information, such as personal data transmitted while interacting with other websites.
Mitigation
* The attacks were detected by the RSA 24x7 Anti-Fraud Command Center with support from security analysts that work on RSA's FraudAction Anti-Trojan Service team. This experienced team of fraud analysts works to detect and qualify phishing sites, shut them down, deploy countermeasures, and conduct extensive forensic work to catch fraudsters and prevent future attacks.
* The team's phishing forensics expertise enabled the AFCC to trace the malware infection resources within these attacks. RSA's FraudAction Anti-Trojan Service analysts are very familiar with the Zeus Trojan: they closely track the distribution of this Trojan, and are often able to identify the propagation of Zeus variants before they are detected by most anti-virus software tools.
* The RSA Anti-Trojan Service mitigates Trojan threats by tackling the Trojan's communication channels – including its infection, drop and ‘command & control' points – and the AFCC works to block the drop-zones. In this way, even if a user has already been infected with the Zeus Trojan, the Trojan will be unable to communicate with its drop-zone, rendering the attack much less effective.
* In addition, the source of the Zeus infection will be traced and shut down by the AFCC, and will not be usable in future phishing attacks.
* So far, RSA's FraudAction Anti-Trojan Service has detected more than 150 variants of the Zeus Trojan targeting customers of financial institutions and other organizations worldwide.
--------------------------------------------------------------------------------------------------
What's the moral of this post? PATCH YOUR SYSTEMS.
In my next post, I'll be sharing details of my summer scheduled publication of my new book Joomla! Website Security (title to be determined). Its being published by Packt and hopefully be available before the August sun burns up my lawn!
Tom Canavan
JoomlaRescue.com
Favoured: 0
