×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Cybercriminals Shifting To Bugat

CmdrTaco posted more than 4 years ago | from the brand-new-hotness dept.

Crime 48

wiredmikey writes "Cybercriminals are changing up their weapons, trying to diversify their attack tools using a platform that is less well known and therefore harder to detect and block. With so much focus on the ZeuS Trojan, recent attacks utilized a variant of 'Bugat,' another Trojan horse that steals information from a compromised computer and sends it to a remote host. Bugat was first discovered in January of this year but, like ZeuS, has seen some different variants. In last week's attack, LinkedIn users received emails alerting them of a 'Contact Request,' and encouraging them to click through to a malicious URL where a java applet fetched and installed the Bugat executable."

Sorry! There are no comments related to the filter you selected.

Moral of the story: never click through (0)

sabs (255763) | more than 4 years ago | (#33869624)

Never ever click on a link in an email, and preferably not on a forum either.
Always type the urls you are going to yourself, so you know what they are.

I keep thinking I need to setup a VM that all it does is run my chrome and IE stuff, and I can just burn it down if need be.

I'd avoid clicking them on pages, too (4, Funny)

Jeremiah Cornelius (137) | more than 4 years ago | (#33869984)

Let's start with email and forums, yes.

But the question is open: What are these "hyperlinks" really for, anyway? The dubious benefits delivered at the other end of clicking is seldom worth the exhilaration. I say that we should just eliminate them, altogether!

I envision a large screen - you could make it large enough to occupy a central place in the household. This could be used to deliver appropriate, scheduled media and information: remote through a wireless, one-to-many transport or stored locally on different removable media.

I think there are significant opportunities to greatly simplify the user interface of such a device, and we will eliminate the risks associated in hyperlinking.

Re:I'd avoid clicking them on pages, too (1)

sabs (255763) | more than 4 years ago | (#33870022)

Damn I wish I had mod points :) that's a funny patent worthy description of a television :)

Re:I'd avoid clicking them on pages, too (2, Funny)

Jesus_666 (702802) | more than 4 years ago | (#33870938)

Your idea is intriguing but with the lack of accountability as to who is consuming what when, the content industry would never allow the distribution of movies and shows over your new network. Without multimedia capabilities, who would use it?

Re:I'd avoid clicking them on pages, too (0)

Anonymous Coward | more than 4 years ago | (#33882974)

Your idea is intriguing but with the lack of accountability as to who is consuming what when, the content industry would never allow the distribution of movies and shows over your new network.

That's why we throw in a free, AI enhanced, voice activated, two-way monitoring capability from the government. We originally marketed him as "Bob" but found that focus groups preferred "Big Brother."

Re:I'd avoid clicking them on pages, too (1)

CarpetShark (865376) | more than 4 years ago | (#33906634)

I envision a large screen - you could make it large enough to occupy a central place in the household.

Household?

I think a much better solution would involve tents (or perhaps some sort of lean-to), a campfire, and a professional story teller who roams from encampment to encampment, bartering for pottage.

Re:I'd avoid clicking them on pages, too (1)

Jeremiah Cornelius (137) | more than 4 years ago | (#33908868)

Better we, the pastoralist steppe horsemen, than those pathetic, agricultural squatters in the basin.

Re:Moral of the story: never click through (1)

mlts (1038732) | more than 4 years ago | (#33870160)

If you don't set up a VM, I highly recommend sandboxie and running your browsers inside of that. It isn't as secure as a VM, but it can be configured to disallow anything but the Web browser to make outgoing network connections, and can be told to only run stuff in a sandbox as a limited user without admin authority. Plus, sandboxie can disallow stuff that normally would download and run from executing at all. This, coupled with the fact that all writes are redirected ensures decent protection against malware while Web browsing.

Of course, if you go the VM route, don't forget to turn on redo logs and/or snapshotting as well as make the stuff in the client run as a limited user. This is another hoop for malware to have to jump through before it gets a chance to attack the VM/hypervisor proper.

Re:Moral of the story: never click through (1)

ehrichweiss (706417) | more than 4 years ago | (#33870866)

FYI, there's a special "Anti-Sandboxie" setting in many of the builders for these trojans; as well as Anti-VirtualPC, etc.

Re:Moral of the story: never click through (1)

mlts (1038732) | more than 4 years ago | (#33873004)

Very true. I'm sure there is anti a lot of things. However, even with code to detect Sandboxie or VirtualPC, just the fact that all writes are redirected to a safe location and that it runs in a user context with no ability to get to anything administrative locks out almost anything it could do, other than try to fill the filesystem, RAM, or process space.

Re:Moral of the story: never click through (1)

RulerOf (975607) | more than 4 years ago | (#33871376)

If you don't set up a VM, I highly recommend sandboxie

I've thought of getting Sandboxie for a long time, but I'd really prefer F/OSS for this kind of thing.

Know of anything comparable?

Re:Moral of the story: never click through (1)

vk2 (753291) | more than 4 years ago | (#33872206)

Here you go - http://www.chromium.org/ [chromium.org]

Re:Moral of the story: never click through (1)

mspohr (589790) | more than 4 years ago | (#33874542)

VirtualBox (virtualbox.org) is a solid FOSS virtual machine. Runs on Windows, Mac and Linux (among others) and can run Window, Linux and other OSs.

If you are running Windows, the best way to protect yourself would be to NOT run Windows. But if you are dependent on it (emotionally, financially, programmatically, etc.), the best solution would be to do all of your web browsing and email in a VirtualBox running Linux. For example, Ubuntu Linux is easy to install in a VirtualBox VM. It comes with FireFox and email tools (along with lots of other good stuff).

- Install VirtualBox on Windows

- Install Ubuntu (or another Linux) in a VirtualBox VM

- Run FireFox and email in your VM.

(This should take less than an hour to set up.)

With this configuration, you would then be running all of your Internet activities under Linux and you are very safe from malware. The VirtualBox VM would run in a window on your Windows desktop and you could then do whatever it is you need to do in Windows. If you keep Windows off the Internet it is relatively safe.

Re:Moral of the story: never click through (2, Interesting)

mspohr (589790) | more than 4 years ago | (#33870178)

Not "clicking through" is not a realistic option.

I switched to Linux (and my wife and daughters to Macs) a few years ago and I don't worry about malware any more. (Note to partisans: I know that both of these OSs can be "theoretically" compromised but the reality is that it just doesn't happen since you need to be a really stupid user and type in your password to give the malware access to do any real damage.)

I've set up VMs for Windows if I absolutely must run some Windows software but I've found I rarely use them.

- It did cost some time and money to switch but...

- Freedom from malware... priceless.

On our communal list of never-ending things to do (1)

RulerOf (975607) | more than 4 years ago | (#33871352)

I need to setup a VM that all it does is run my chrome and IE stuff, and I can just burn it down if need be.

Same here, just not enough cores yet :-(

It's been surprisingly difficult to sandbox the browser into a VM in such a fashion that it looks and behaves just like a native one. Until recently, using VMware you couldn't get Aero glass to come through, and now that you can, it's still a chore to synchronize all your cookies and downloads and drag/drop of pictures and the like and still be able to do a snapshot/restore in such a fashion that you don't lose settings or saved passwords or all sorts of whatnot, and then there's the performance hit... it's just not there yet.

It seems though that by the time that's truly user friendly, browsing would be totally secure... right? ;-)

Re:Moral of the story: never click through (1)

Jeremiah Cornelius (137) | more than 4 years ago | (#33872388)

BTW. Does sabs mean "green"?

Make Up Your Mind (2, Informative)

WrongSizeGlass (838941) | more than 4 years ago | (#33869626)

In the linked article they claim "Bugat" was being distributed via the recent attack targeting LinkedIn users but the article [securityweek.com] they use as their reference clearly states the LinkedIn spam was distributing "ZeuS". Make up your mind, M'kay?

Re:Make Up Your Mind (0)

Anonymous Coward | more than 4 years ago | (#33869738)

You're not supposed to actually *follow* links to source material; you're just supposed to assume that because there are links to sources that whatever they've written will be backed up by those sources.

Re:Make Up Your Mind (0)

Anonymous Coward | more than 4 years ago | (#33869838)

"Update - 10/12/10 9:50AM - There have been reports that this attack used "Bugat" Malware instead of Zeus"

(from the source material)

Re:Make Up Your Mind (1)

Apocryphos (1222870) | more than 4 years ago | (#33875544)

you're just supposed to assume that because there are links to sources that whatever you think will be backed up by those sources.

Fixed.

Re:Make Up Your Mind (0)

Anonymous Coward | more than 4 years ago | (#33869890)

I got an e-mail from some one the other day from LinkdIn, wonder If I was one of the lucky ones "targeted" by either/or.

Re:Make Up Your Mind (3, Informative)

cerberusss (660701) | more than 4 years ago | (#33869916)

The reference article has been updated:

Update - 10/12/10 9:50AM - There have been reports that this attack used "Bugat" Malware instead of Zeus (More)

Useless (0)

Anonymous Coward | more than 4 years ago | (#33869834)

Please tell me how to detect and remove this

The Bugat team (1)

diskofish (1037768) | more than 4 years ago | (#33869872)

The Bugat team really knows their stuff. Good job guys!

Finally! (2, Funny)

digitaldc (879047) | more than 4 years ago | (#33869924)

After years of inactivity and wondering exactly what is its purpose, I have now discovered a reason to having a profile on LinkedIn.
Meeting new people, discovering professional contacts and getting viruses!

Re:Finally! (1)

krelvin (771644) | more than 4 years ago | (#33870246)

Except that you didn't need to have a LinkedIn account to receive one of these gems.

Re:Finally! (0)

Anonymous Coward | more than 4 years ago | (#33871338)

Yeah, it's much like hanging out in after-work bars. Just replace "viruses" with STDs.

FailzorrS?! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#33869958)

eyes on the real EFNet, and apply ransom for their To have to decide You have a play is wiped off and may be hurting best. Individuals This post brought Culture of abuse plainly states that aaproximately 90% may disturb other schemes. Frankly and building is the gay niggers are looking very project. Today, as open platform, same worthlees MOVIE [imdb.com] ransom for their partner. And if Clearly become ultimately, we Can really ask of Users With Large there are sudden and development models do, or indeed what direct orders, or and executes a lost its earlier just yet, but I'm were compounded of *BSD asswipes are allowed to play Assholes, as they Software lawyers

Can anyone tell me.. (1)

Duncan J Murray (1678632) | more than 4 years ago | (#33869962)

Whether this also affects Linux users, and secondly, how does one configure java/flash/their browser etc, to prevent this happening?

Re:Can anyone tell me.. (0)

Anonymous Coward | more than 4 years ago | (#33872814)

Or how a Java applet will do this at all? Even if the end-user wants the Applet to write to disk, it can't without being signed by a valid certificate.

That certificate should lead back to someone who should then have criminal liability.

I call B.S. on this. My wife's Vista laptop installs anything and everything automatically, but that's the fault of IE and Vista. Java requires some accountability before letting anybody out of the sandbox.

Re:Can anyone tell me.. (1)

John Hasler (414242) | more than 4 years ago | (#33878030)

> Whether this also affects Linux users...

It doesn't.

> ...how does one configure java/flash/their browser etc, to prevent this happening?

NoScript.

This is embarassing (0)

Anonymous Coward | more than 4 years ago | (#33870000)

Here is a link for the bugat page on java.net. The only content appears to be "Introducing Bugat: The new Trojan targets users' banking credentials."

http://www.java.net/community-item/introducing-bugat

Re:This is embarassing (2, Funny)

e70838 (976799) | more than 4 years ago | (#33870342)

I was not able to download bugat from this link. Do you have another one ?

I just love press releases (3, Informative)

tsu doh nimh (609154) | more than 4 years ago | (#33870112)

Wondering how much this "story" actually differs from the Trusteer press release, below: NEWS RELEASE FOR IMMEDIATE DISTRIBUTION
Trusteer Researchers Find Criminals are Diversifying Financial Attacks with New Version of Bugat Malware

Bugat Quietly Distributed in Recent LinkedIn Phishing Assault; Unlike Zeus Trojan, it is Less Well Known and Harder to Detect

NEW YORK, Oct. 12, 2010 -Trusteer, the leading provider of secure browsing services, today announced that its researchers have discovered a new version of the Bugat financial malware used to commit online fraud. Bugat was distributed in the recent phishing campaign targeting LinkedIn users, which was generally considered to be trying to infect machines with the more common Zeus Trojan. The emergence of this new version of Bugat appears to be an attempt by criminals to diversify their attack tools using a platform that is less well known and therefore harder to detect and block.

Bugat is similar in functionality to its better known financial malware brethren Zeus, Clampi and Gozi. It targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen financial credentials are used to commit fraudulent Automated Clearing House

(ACH) and wire transfer transactions mostly against small to midsized businesses, which result in high-value losses. Bugat is three times more common in the US than Europe, but its distribution is still fairly low.

In last week's attack, LinkedIn users received emails reminding them of pending messages in their account and providing a malicious URL. When a victim clicked on the link they were directed to a fraudulent website where a java applet fetched and installed the Bugat executable. LinkedIn spam email is an effective tool to push malware to enterprise users, and is being used to gather credentials for commercial bank accounts and other sensitive services used by businesses.

"Criminals are stepping up their malware distribution efforts by continuously updating configurations of well known malware like Zeus, and using new versions of less common Trojans like Bugat, to avoid detection,"

said Mickey Boodaei, CEO of Trusteer. "We are in an arms race with criminals. Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the internet."

Trusteer warns that the recent industry focus on Zeus is making it easier for other Trojans, like Bugat, SpyEye, and Carberp which are less wide spread but equally sophisticated, to avoid detection. Carberp currently targets nine banks in the United States, Denmark, The Netherlands, Germany, and Israel. These lesser known financial malware platforms are expected to increasingly compete with the Zeus toolkit to become the new Trojan of choice for criminal groups.

Blocking and Removing Bugat

The Trusteer Secure Browsing Service protects banking and other online sessions by blocking attacks and then disinfecting machines that are infected with Bugat and other financial malware including Zeus, SpyEye, and Carberp. When a Trusteer user browses to sensitive websites such as internet banking, Webmail, or online payment pages, the service immediately locks down the browser and creates a tunnel for safe communication with the web site. This prevents malware like Bugat from injecting data and stealing information entered and presented in the browser. The service is directly connected to the bank (or other online business protected by Trusteer) and to Trusteer's 24x7 fraud analysis service. Attempts to steal money from consumers protected by Trusteer are immediately detected by the bank or operator of the website and are blocked using various layers of protection.

Uh oh (1)

theatrebreakslondon (1920160) | more than 4 years ago | (#33870202)

woah, i didn't hear about this. I think i got that email

According to Symantec, Windows only (2, Interesting)

david.emery (127135) | more than 4 years ago | (#33870254)

But of course, I had to dig to find that particular piece of information. Most of the write-ups ignore the question of what host OS/systems are vulnerable. http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-013112-4647-99 [symantec.com]

It's truly appalling that the great number of discussions are either (a) ignorant of the question of 'host vulnerability', (b) assume that everyone is running Windows; or (c) can't be bothered to determine what hosts are vulnerable. If I were sufficiently paranoid, I'd believe this is part of the continuing conspiracy to make everyone believe that such vulnerabilities are a 'fact of life' for all computers, and not just Microsoft products.

Re:According to Symantec, Windows only (1)

bill_kress (99356) | more than 4 years ago | (#33874340)

It's interesting that Windows Vista was on that list but not Windows 7. Did they finally improve things a little?

Bugat! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33870478)

Millennium hand and shrimp!

Re:Bugat! (1)

baubo (1310237) | more than 4 years ago | (#33879132)

Silly mods; Terry Pratchett is NEVER offtopic!

Hmm... I guess I should be.. (0)

Anonymous Coward | more than 4 years ago | (#33870856)

Safe. I am firewalled running VM and I am on LinkedIn now. What could possibly happen if I open up this emaile#$%^*^&*GB(^^((*>*&(^&*..No carrier

Running Mac OS... (2, Informative)

Chris Tucker (302549) | more than 4 years ago | (#33871400)

...in a user account when online, NEVER as Root, and Little Snitch [obdev.at] is ALWAYS running in the background in ALL accounts, especially Root.

Ad Block Plus is also running at all times, that helps to eliminate the threat posed by hijacked banner or other ads.

Yes, the potential for the Mac to be compromised is there, but I'd have to do something really stupid to get malicious code onto the machine.

(Insert your own gratuitous but not unwarranted slams against the Windows OS here.)

Re:Running Mac OS... (0)

Anonymous Coward | more than 4 years ago | (#33872146)

I'm running Linux, so I don't care.

Bwahahahah!

Re:Running Mac OS... (2, Funny)

Beerdood (1451859) | more than 4 years ago | (#33876542)

I'm running Linux, so I don't care.

Bwahahahah!

Dear Malware coders :

Please work on creating more linux based malware and viruses. There simply isn't enough Linux Malware [wikipedia.org] out there - I believe the parent post clearly shows that there are plenty of smug linux users out there that believe their computers are impenetrable fortresses.

You see, it's a win-win situation for you regardless of what happens. Either
a) Linux becomes the dominant operating system, jumping from 0.1% to 95% of the market share. In this scenario, your malware reaches a significantly higher number of unsuspecting users.
b) Linux becomes even more obscure and Windows based operating systems are still the dominant choice of operating system. In this scenario, your existing Windows malware will continue to prevail and infect more and more users switching over from Linux to Windows.

Please carefully consider my proposal. I'm sure you'll find that we can agree that there needs to be a lot more Linux based Malware out there, so get coding. Also, I would gladly send $60 for your "free anti-virus software" just imagining the look on the faces of pretentious linux users when they find their system is infected.

Sincerely,
Beerdood

Simple solution (5, Insightful)

Todd Knarr (15451) | more than 4 years ago | (#33871542)

When is the simple solution going to be applied by users: never trust links in e-mail. If I got an e-mail from LinkedIn telling me about a contact request, I'd ignore any URL in the e-mail. I'd go to LinkedIn itself through the bookmark already in my browser. If it's a real contact request, it'll be sitting in my inbox there waiting for me. I don't need to trust anything in the e-mail. And if there isn't anything waiting in my inbox, then the e-mail was a fake and I shouldn't be trusting anything in it.

It's the same rule as for unsolicited phone calls. If someone calls you up claiming to be from the power company saying you've got an overdue balance and you have to pay up or have power shut off, you do not accept their helpful offer of doing the payment over the phone if you'll just give them your bank-account number to do an e-check. You've no idea whether it's actually the power company calling or just some random con-man. You thank them, hang up, pull out your last bill and get the customer-service number from that. Then you call that number and ask them about the status of your account. And if they say you are, it's now safe enough to do an e-check because (barring someone having usurped the phone company's switches themselves, or having switched physical bills on you) you know you're really talking to the power company.

/. now a Microsoft PR drone? (2)

lowlands (463021) | more than 4 years ago | (#33873052)

It's nice to see that even /. will not clearly specify that this is a Microsoft Windows-only problem. The Microsoft PR drones have been "generalizing" and "de-Windowfying" the trojan/virus/malware problem for a while now. And quite successful it seems when even /. serves its articles the way Microsoft's PR drones like to see them. If you read the first sentence then it is basically unclear, to the untrained, inexperienced eyes of this world, that this is not a problem for all Operating Systems and platforms but unique to one particular vendor. Time to give the Microsoft PR drones more work and put the blame were it belongs.

Re: /. now a Microsoft PR drone? (1)

John Hasler (414242) | more than 4 years ago | (#33878062)

It's nice to see that even /. will not clearly specify that this is a Microsoft Windows-only problem.

On /. it is taken for granted that malware is a Microsoft-only problem.

Good choice to switch. (0)

Anonymous Coward | more than 4 years ago | (#33876558)

Bugattis are very good cars. I know the BMWs they used were good workhorses but sometimes you just have to move on.

Oh, "Bugat" the code tool, and not "Bugatti" the cars? Woops.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?