How alleged crooks used ATM skimmers to compromise thousands of accounts

Federal authorities have charged two men suspected of running an international operation that used electronic devices planted at automatic teller machine locations to compromise more than 6,000 bank accounts.

The operation—which targeted Capital One, J. P. Morgan Chase, and other banks—netted, or attempted to net, about $3 million according to an indictment filed in Manhattan federal court. It allegedly worked by obtaining payment card readers from Hungary and other countries and installing them on top of card readers already located on ATMs and doors to ATM vestibules. The fraudulent readers were equipped with hardware that recorded the information encoded onto a card's magnetic stripe each time it was inserted. A hidden pinhole camera with a view of the ATM keypad then captured the corresponding personal identification number.

Antonio Gabor and Simion Tudor Pintillie allegedly led a gang of at least nine other people who regularly planted the skimming devices in the Manhattan, Chicago, and Milwaukee metropolitan areas, prosecutors said. They would later revisit the ATM to retrieve the information stored on the skimming devices and cameras. Gang members would then encode the stolen data onto blank payment cards and use the corresponding PINs to make fraudulent purchases or withdrawals.

Read 3 remaining paragraphs | Comments

Microsoft Patch Tuesday – February 2013

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing 12 bulletins covering a total of 57 vulnerabilities. Eighteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the February releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Feb

The following is a breakdown of the issues being addressed this month:

  1. MS13-009 Cumulative Security Update for Internet Explorer

    Shift JIS Character Encoding Vulnerability (CVE-2013-0015) MS Rating: Critical

    An information disclosure vulnerability exists in Internet Explorer that could allow an attacker to gain access to information in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted webpage that could allow for an information disclosure if a user viewed the webpage.

    Internet Explorer SetCapture Use After Free Vulnerability (CVE-2013-0018) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer COmWindowProxy Use After Free Vulnerability (CVE-2013-0019) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer CMarkup Use After Free Vulnerability (CVE-2013-0020) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer vtable Use After Free Vulnerability (CVE-2013-0021) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer LsGetTrailInfo Use After Free Vulnerability (CVE-2013-0022) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer CDispNode Use After Free Vulnerability (CVE-2013-0023) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer pasteHTML Use After Free Vulnerability (CVE-2013-0024) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer SLayoutRun Use After Free Vulnerability (CVE-2013-0025) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer InsertElement Use After Free Vulnerability (CVE-2013-0026) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer CPasteCommand Use After Free Vulnerability (CVE-2013-0027) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer CObjectElement Use After Free Vulnerability (CVE-2013-0028) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer CHTML Use After Free Vulnerability (CVE-2013-0029) MS Rating: Critical

    Remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

  2. MS13-010 Vulnerability in Vector Markup Language Could Allow Remote Code Execution

    VML Memory Corruption Vulnerability (CVE-2013-0030) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Internet Explorer handles objects in memory. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution.

  3. MS13-011 Vulnerability in Media Decompression Could Allow Remote Code Execution

    Media Decompression Vulnerability (CVE-2013-0077) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Windows handles media content. The vulnerability could allow remote code execution if a user opens a specially crafted media file (such as .MPG) or receives specially crafted streaming content.

  4. MS13-012 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

    Oracle Outside In Contains Multiple Exploitable Vulnerabilities (CVE-2013-0393) MS Rating: Important

    A vulnerability exists in Microsoft Exchange Server through the WebReady Document Viewing feature. The vulnerability could cause the affected Exchange Server to become unresponsive if a user views a specially crafted file through Outlook Web Access in a browser.

    Oracle Outside In Contains Multiple Exploitable Vulnerabilities (CVE-2013-0418) MS Rating: Critical

    A vulnerability exists in Microsoft Exchange Server through the WebReady Document Viewing feature. The vulnerability could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.

  5. MS13-013 Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

    Oracle Outside In contains multiple exploitable vulnerabilities (CVE-2012-3214) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint with the Advanced Filter Pack enabled. An attacker who succesfully exploited these vulnerabilities could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

    Oracle Outside In contains multiple exploitable vulnerabilities (CVE-2012-3217) MS Rating: Important

    Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint with the Advanced Filter Pack enabled. An attacker who succesfully exploited these vulnerabilities could run arbitrary code in the context of a user account with a restricted token. By default, Advanced Filter Pack in FAST is disabled.

  6. MS13-014 Vulnerability in NFS Server Could Allow Denial of Service

    NULL Dereference Vulnerability (CVE-2013-1281) MS Rating: Important

    A denial of service vulnerability exists when the Windows NFS server fails to properly handle a file operation on a read-only share. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding and restart.

  7. MS13-015 Vulnerability in .NET Framework Could Allow Elevation of Privilege

    WinForms Callback Elevation Vulnerability (CVE-2013-0073) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework elevates the permissions of a callback function when a particular Windows Forms object is created. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

  8. MS13-016 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

    Win32k Race Condition Vulnerabilities (CVE-2013-1248) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1249) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1250) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1251) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1252) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1253) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1254) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1255) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1256) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1257) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1258) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1259) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1260) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1261) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1262) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1263) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1264) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1265) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1266) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1267) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1268) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1269) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1270) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1271) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1272) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1273) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1274) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1275) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1276) MS Rating: Critical

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerabilities (CVE-2013-1277) MS Rating: Important

    Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could gain elevated privileges and read arbitrary amounts of kernel memory.

  9. MS13-017 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

    Windows Kernel Reference Count Vulnerability (CVE-2013-1280) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

    Kernel Race Condition Vulnerability (CVE-2013-1278) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

    Kernel Race Condition Vulnerability (CVE-2013-1279) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

  10. MS13-018 Vulnerability in TCP/IP Could Allow Denial of Service

    TCP FIN WAIT Vulnerability (CVE-2013-0075) MS Rating: Important

    A denial of service vulnerability exists in the Windows TCP/IP stack that could cause the target system to stop responding and automatically restart. The vulnerability is caused when the TCP/IP stack improperly handles a connection termination sequence.

  11. MS13-019 Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege

    Reference Count Vulnerability (CVE-2013-0076) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows CSRSS improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the local system.

  12. MS13-020 Vulnerability in OLE Automation Could Allow Remote Code Execution

    OLE Automation Remote Code Execution Vulnerability (CVE-2013-1313) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Object Linking and Embedding (OLE) Automation allocates memory. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Locking the bad guys out with asymmetric encryption

Encryption, the transformation of data into a form that prevents anyone unauthorized from understanding that data, is a fundamental technology that enables online commerce, secure communication, and the protection of confidential information.

Encryption algorithms are the mathematical formulae for performing these transformations. You provide an encryption algorithm with a key and the data you want to protect (the plaintext), and it produces an encrypted output (the ciphertext). To read the output, you need to feed the key and the ciphertext into a decryption algorithm (sometimes these are identical to encryption algorithms; other times they are closely related but different).

Encryption algorithms are designed so that performing the decryption process is unfeasibly hard without knowing the key.

Read 55 remaining paragraphs | Comments

Zeus Now Setting its Sights on Japanese Online Banking Customers

As we have blogged in the past, Zeus (Trojan.Zbot) and other banking Trojans have been a headache to online banking customers all over the world for years. Certain countries such as Japan have in the past escaped attacks from banking Trojans, perhaps due to the language barrier or some other unknown reason. As the National Police Agency of Japan has reported several times, Japanese online banking customers have now started to fall victim to this type of attack.

Symantec recently came across a new Zeus file targeting five major banks in Japan. Figure 1 shows part of the decrypted configuration file. The malware targets only Japanese banks.

Figure 1. Target banks listed in Zeus configuration file

 

Figure 2 shows the infection of the variant only observed in Japan, which targets Japanese online banking customers.

Figure 2. World map image illustrating the Zeus variant specifically targeting Japan

 

The functionality is the same as that of other Zeus variants. Once infected, Zeus monitors the Web browser visiting the targeted banks and injects HTML code that displays a message in Japanese that states in English:

"In order to provide a better service to our customers, we are updating our personal internet banking system. Please re-enter the information that you provided when you first registered."

The user is asked to enter personal information including passwords and any other information the attacker can use access the account. The log in credentials are recorded using Zeus’s built-in key logging functionality.

Figure 3.  Fake alert HTML code asking the user to input information

 

Figure 4. Fake alert HTML code asking the user to input the date of issue of the authentication card

 

The attacker uses Blackhole exploit kit in order to install Zeus. Symantec security products provide protection against this with the following detections:

Antivirus:

Intrusion Prevention System (IPS):

Behavior blocking:
SONAR.Heuristic

Zeus is typically delivered through exploit kits. Symantec advises users to keep all installed software updated. This type of malware may also arrive on your computer through email. Do not open emails or attachments from untrusted sources. Finally, be suspicious if your online banking site asks for information that is not usually requested.