As of late August, Kaspersky Lab’s analysts detected 35 unique malicious programs that targeted the Bitcoin system in one way or another.
Realising that their potential earnings largely depend on the number of computers they have access to, the cybercriminals have moved from stealing Bitcoin wallets to using Twitter and P2P network-based botnets. Cybercriminals have resorted to this measure to counter the antivirus companies that may block the operation of a single botnet C&C server if no alternate servers exist in the malicious network.
For example, a bot would send a request to a Twitter account, which provides commands that are left there by the botnet owner — i.e., where the Bitcoin-generating program is downloaded, along with instructions for which Bitcoin pools to work with. The use of Twitter as a botnet command centre is not new; although this is the first time it has been used with the Bitcoin system.
In August, Kaspersky Lab also discovered that one of the largest botnets conceals actual accounts as they can be deleted by server owners who take a proactive stance against unlawful mining programs. To achieve this, the botnet owners had to create a special proxy server that interacts with infected computers, and their requests are then transferred to an unknown Bitcoin pool. It is not possible to identify the specific pools that the botnet works with and thus block the fraudulent accounts. In this situation, the only means of intercepting such criminal activity is to gain full access to one of the proxy servers.
Almost a year after the original code of the most wide-spread threat targeting online banking users was leaked, Trojan ZeuS (Trojan-Spy.Win32.Zbot), Russian-speaking cybercriminals created its clone which became quite popular among fraudsters this summer. The new variant which emerged in the spring was dubbed Ice IX by its creator and sells for $600 to $1 800.
One of Ice IX’s most remarkable innovations is the altered botnet control web module which allows cybercriminals to use legitimate hosting services instead of costly bulletproof servers maintained by the cybercriminal community. This difference is meant to keep hosting costs down for Ice IX owners. The appearance of Ice IX indicates that we should soon expect the emergence of new “illegitimate children” of ZeuS and an even greater number of attacks against the users of online banking services.
The new network worm Morto is interesting in that it does not exploit vulnerabilities in order to self-replicate. Furthermore, it spreads via the Windows RDP service that provides remote access to a Windows desktop – a method which has not been seen before. Essentially, the worm attempts to find the access password. Provisional estimates indicate that tens of thousands of computers throughout the globe may currently be infected with this worm.
In early August 2010, the first-ever malicious program for the Android operating system was detected – the SMS Trojan FakePlayer. Today, threats designed for Android represent approximately 23% of the overall number of detected threats targeting mobile platforms.
Excluding the J2ME platform, 85% of the total number of smartphone threats detected during August 2010 targeted the Android system.
In August, the Nickspy Trojan stood out among the multitude of threats targeting mobile platforms. Its distinguishing characteristics include an ability to collect information about the phone’s GPS coordinates and any calls that are made from the device. It can also record all the conversations that the infected device’s owner has. The audio files are then uploaded to a remote server managed by the malicious owner.
August saw a number of really high-profile hack attacks. The victims of hacktivists included the Italian cyber police, a number of companies cooperating with law enforcement agencies in the US, and the military contractor Vanguard, who works under contract to the US Department of Defense. However, these hack attacks were hardly surprising against the backdrop of this year’s events.