According to Dr Web – the number one Mac threat at the moment is Yontoo Trojan
Yontoo hijacks web pages with adware and is detected by ESET CyberSecurity for Mac as Trojan software.
In a smaller than normal Virus Bulletin test, ESET once again shone out as a winner. This round of tests only yielded one failure (avast!) – during the tests of anti-malware products for SUSE Linux. ESET was in fine company of fellow VB100 award winners this month with fellow vendors such as Kaspersky Labs and Bitdefender also taking vb100 trophies as prizes.
About Virus Bulletin
Virus Bulletin started in 1989 as a magazine dedicated to providing PC users with a regular source of intelligence about computer malware, prevention, detection and removal, as well as information on how to recover programs and data following an attack.
VB100 certification schemes
For many years, Virus Bulletin has carried out independent comparative testing of anti-malware products. The unique VB100 certification scheme is widely recognized within the industry.
The VB100 award is a certification of products which meet the basic standards required to be recognised as legitimate and properly functioning anti-malware solutions.
To display a VB100 logo, a product must:
All this must be done with default, out-of-the-box settings in the VB lab environment.
ESET’s VB100 Award History
ESET has a strong showing in the tests performed by Virus Bulletin, holding more VB100 awards than any vendor. This award is number 78!
Friday February 8, 2013
The ‘PokerAgent’ botnet, which we have tracked in 2012, was designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats, presumably with the intention to mug the victims. The threat was mostly active in Israel. 800 computers were infected, over 16194 Facebook credentials stolen.
Introduction to PokerAgent
ESET Security Research Lab has discovered an attention-grabbing Trojan horse about a year ago. The signs which indicated that it would be something interesting were references to Facebook, its Zynga Poker App (seen from the text strings in the binary), the executable name “PokerAgent” and botnet features – the Trojan would request tasks from a C&C server.
ESET has been detecting the different variants of the Trojan generically as MSIL/Agent.NKY. After the initial discovery, we were able to find other versions of the Trojan, both older and newer, and acquire detection statistics which have revealed that the Trojan was most active in the country of Israel.
We have performed a deep analysis of the Trojan’s source code (which was quite trivial as it was programmed in C#, which is easily to decompile) and started monitoring the botnet. The findings are presented below.
Additional technical details are available in the whitepaper.
The malware author/attacker has an extensive database of stolen Facebook credentials – login names and passwords. At first, we didn’t know how he had acquired the credentials, but later on in the investigation this became clear. When the bot connects to the C&C server, it requests tasks to carry out. One such “task” equals one Facebook user. The Trojan is programmed to log into this Facebook account, and collect the following information:
– Zynga Poker stats for the given Facebook ID
– Number of payment methods (i.e. credit cards) saved in the Facebook account
The Zynga Poker user statistics are acquired by parsing the response from the URL: http://facebook2.poker.zynga.com/poker/inc/ajax/profile_popup.php?zid=1:%_FACEBOOK_ID%&signed_request=%_SIGNATURE% &platform=1
This returned response looks something like the one below, and contains various information about the user, such as his or her name, gender, profile picture, Zynga poker rank and points, number of ‘buddies’ and statistics on hands played in the game.
The Trojan is only interested in the gender of the user, points and rank. This information is sent back to the C&C server.
Note that in order to pose the query, the perpetrator only needs the victim’s numerical Facebook ID and a valid signed request parameter for the Zynga Poker application. Throughout the different versions of the bot, we have observed different parameters being used.
More information on the popular game Zynga Poker can be found here.
In order to ascertain the number of payment methods linked into the Facebook account, the bot first has to log into the account (using a Facebook username and password already in the perpetrator’s possession). The Trojan then browses to https://secure.facebook.com/settings?tab=payments§ion=methods and simply parses the number between html tags in the following string “You have X payment methods saved.” from the HTML page.
We advise careful consideration before storing credit card details into any app, not only Facebook!
Again, this information is sent back to the C&C server to update the attacker’s victim database.
The infected bot can be instructed to perform one other important task on behalf of a Facebook victim:
Publish links on the Facebook user’s wall
The purpose of this functionality is to direct other Facebook users (i.e. the friends of the users whose logon details have already been stolen) to a fake Facebook log-in site, in order to phish their credentials as well.
The task sent to the bot, apart from a Facebook user name and password, also contains a URL (sent in an encrypted form) and possibly some accompanying text for the post (we haven’t observed this feature being used by the botnet, however). The Trojan, having logged in to the Facebook account, publishes the decrypted link on the Facebook user’s wall.
Here is an example:
The link would lead to a webpage like the one on the screenshot below. During our botnet monitoring, we have observed different landing pages being used. Both from our telemetry and from the text on these websites we see that the attacks were mainly targeting Israeli Internet users. The pages featured tabloid topics, which a user could be curious to click on.
Regardless of the topic of the “redirect page”, they all had one thing in common – every picture or link was an HTML link to a fake Facebook login website as seen below. Again, different URLs were used over time.
Unsurprisingly, when a victim fills in the log-in form on this counterfeit Facebook page, his credentials are sent to the attacker.
Analysis of the source code also reveals an interesting feature of the Trojan’s programming logic. The code contains a function called ShouldPublish, which determines whether the phishing links should be posted to the user’s wall. That depends on whether the victim has any credit cards linked to his account and his Zynga Poker ranking. Apparently, if one of these conditions is met, the attacker considers it a success. If not – no payment details and low Poker ranking – the Trojan seeks other victims.
How does the attack happen?
It should be noted that, unlike other Trojans we often see spreading through Facebook, this Trojan does not log into or in any way interfere with the Facebook account of the user that is infected. (In fact, they may or may not even have a Facebook account.) The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator’s computer.
Having said that, the aforementioned facts lead us to the conclusion that the purpose of the botnet is to:
Expand the database of stolen Facebook usernames and passwords
Update the database: pair the credentials with information on the user’s Zynga Poker stats and their saved credit cards
We can only speculate how the attacker further abuses these harvested data. The code suggests that the attacker seeks out Facebook users who have something of value, worth stealing – determined by the Poker stats and credit card details saved in their Facebook account. Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals.
How does it spread?
Above, we have shown the fake Facebook login page that the attacker uses to lure their victims into giving them their Facebook credentials.
As far as the distribution of the “PokerAgent” Trojan itself is concerned, we haven’t been lucky enough to catch ‘in the act’ of spreading. At the time when we were monitoring the botnet in March 2012, it was no longer spreading actively. What we do know, however, is that the Trojan is downloaded onto the system by another downloader component (of which we have also seen several versions). This downloader component was seen on the web (on various dynamically changing URLs) and the victims have been fooled into downloading it.
Given the nature and techniques used by the Trojan, it’s a fair assumption that the Trojan downloader was also distributed through Facebook, making use of similar social engineering tricks.
Scale of the attacks and action taken
We have been detecting the Trojan MSIL/Agent.NKY since December 3, 2011. Sometime later, we noticed that this was something that deserves more of our attention and conducted an in-depth analysis of the code, started tracking the threat and, after having analyzed its C&C protocol, began monitoring the botnet.
Thanks to our generic detection, we were able to capture both earlier and later versions of the Trojan. We have found 36 different versions of ‘PokerAgent’ with compilation timestamps from September 2011 to March 2012. MD5 hashes are provided at the end of this paper. Thus, we were able to see the malware writer actively developing his project.
Our tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that the attacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012. Note that this number does necessarily correlate exactly to the number of valid users whose credentials have been stolen, as there could have been more, which we didn’t see. However, of those that we did see, not all entries were valid as not all users were tricked by the phishing scheme and have entered details that were obviously fake.
As can be seen from our ESET LiveGrid ® detection timeline below, the malware author seemed to have ceased actively spreading the Trojan mid-February 2012.
The attacks are regionally concentrated in only one country. Our telemetry indicates that precisely 99% of all MSIL/Agent.NKY detections by ESET security products come from Israel.
Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement. The details of the investigation cannot be disclosed for reasons of confidentiality.
Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.
The ‘PokerAgent’ case represents a successful attack against the users of the largest social network in the world and players of the largest Poker site in the world. There are, however, several security practices – aside from the obvious recommendation to use an updated anti-virus – which would have prevented the perpetrators from being so lucky.
Not only technical measures, but also user vigilance are important as countermeasures to all attacks that employ social engineering. While visually it’s a perfect copy of the real thing, the fake Facebook log-on webpage could easily be recognized as such if the user checked the browser address bar, yet the majority of victims were duped by the phishing scam.
Facebook has implemented various mechanisms for improving the security of their users. In particular, two-factor authentication would have prevented the infected bots from logging into the victim Facebook accounts.
We advise careful consideration before allowing a browser or other app to ‘remember’ passwords for sensitive services and before storing credit card details into any application (not only Facebook!).
With popular social networks being exploited for malware dissemination, spam, phishing, and other nefarious purposes, it is highly advisable to ensure that you are protected from this attack vector as well. In order to keep your Facebook account clean, ESET has introduced the ESET Social Media Scanner app.
List of MD5s
1a177ad790309f162043557da2c178b8 2cbe2ba07c5887170fe587c91739f137 82eecb76e4f0efea29ce7e790ebfff99 aef2313baae374ce3ab000ae15046cc5 4988851c88674ce45883141628559c04 4a05b90f662cbc47cc4c826abebebe8f 335864d4e02cefe9e328043730ba4630 725a34b0f9ee536b63e75913ca17dec8 538312bdad9f1ea62d5690e87caba00f 47ac52b3a13443b061dd293d64142d18 6b51fef476c48ad121d2543f037cc438 b038a93d36fa9fa82f2c2ad3908f79a9 bb1236655a35d74f43fc1087ba0a6d59 eb4740d54570e847086d863e1fa51c61 1c6689abd86a1114b50dcf1f809b164d b1e168de7e9e495f2c02f73bc0092fe3 c854d298d5a70e89390f55e998682b1a 5e8a0b4ef16b784ca4d78f8036eec52e 4d3dbfca81f73f03ce18a848478838cd 4f2ba75830b3470615c9ad66a3b86916 d764e2b23addd8156afe259097713101 10abb121ff6c6edc47aea2263f00df2e 2e2f62c79f31eff7a2f4605d6b59455d 82482f49f9e204e48cd68f3a6081162f 911b0edc23382c8e6bc4684c759fe429 6FF4D77ED54F50EF36348478D71BA490 B29E3ACDF92D665D2B175C60A70C72AC 4E917F6FBB9F4D722018273B0C764B86 F6695F4B63073F059ABD57DFFA397353 5168C1A87AAE174272FD9993B2365ACA BA15FE1242D471BCB80803A40C30F9EE 3C7485C07D631EB67486A06C9BA6037A 85728B5295F48905E33FF2833AC7A70B D78ED2A9268068129266F8B28C97C9BA 287e4debe7e1f407add481ed67897eec D21A691EEFBA72113C4B44389A304466
ESET is 25 Years old… learn about the company, the culture – meet just a few of the people working hard to keep you safe….
This is how to remove the message “Checked by ESET” from your Emails when running ESET NOD32 Antivirus v6, ESET Smart Security v6 or ESET CyberSecurity for Mac:
For further support – please browse our ESET support section.
The latest release of ESET NOD32 and ESET Smart Security is now available. We are pleased to announce that both ESET Smart Security 6 and ESET NOD32 Antivirus 6 were released on January 15th, 2013 and are available for purchase. If you are a client of Computer Security Solutions with a valid ESET NOD32 or ESET Smart Security license, you can download the V6 versions free HERE.
This release will outline improvements to the user experience, more effective advancements in threat detection and more thorough cleaning of infected systems.
ESET NOD32 Antivirus 6 is a fast and powerful antivirus solution with improved usability and upgrades to the scanning engine for better overall performance. Both products benefit from Anti-Phishing protection in addition to the new ESET Social Media Scanner App, which protects users and their linked friends against attacks launched from within Facebook. ESET Smart Security 6 further extends that functionality by adding unique Anti-Theft capabilities.
ESET Social Media Scanner protects social media users from malicious content, including your profile, wall, newsfeed and private messages even if you are not logged into your Facebook account. If an infection is found, a notification is sent by email and you can take care of the problem.
ESET Anti-Theft helps locate your missing devices and makes it possible to monitor activity on lost or stolen laptops, tablets, notebooks and more!
ESET Anti-Phishing offers increased protection against digital identity theft. ESET Smart Security 6 ranked as one of the most effective products blocking almost 94 percent of threats. The dedicated Anti-Phishing module in V6 includes an extended database of phishing sites as well as verified reports by users.
Trial ESET version 6 products NOW:
We are proud to officially announce the release of ESET Smart Security 6, our all-in-one protection with anti-theft, and ESET Nod32 Antivirus 6, our powerful and fast antivirus with anti-phishing.
Explore many of the new features like Anti-Theft or Social Media Scanner right now in a free 30-day trial: https://www.betterantivirus.com/nod32-antivirus-trial/
As always, ESET customers with a currently valid license can upgrade to version 6 of the same product at no additional charge.
Trial ESET version 6 products NOW:
Despite the challenge of a brand new platform in the form of Windows 8, products generally performed well in this month’s test. December’s VB100 comparative sees ESET VB100 win #76. According to Virus Bulletin, this test had a close to normal pass rate. However, with a full 1/3 of all participants failing to win a VB100 award this time around, it is our opinion that there was a much higher failure ratio than we normally see.
Actually, eleven out of the thirty-three products tested were not able to win VB100 awards this time around. ESET continues their streak – VB100 #76 was in the bag!
ESET NOD32 Antivirus 5 scored another VB100 award in the final Virus Bulletin test of 2012. In a test with some 33 participants, ESET once again received top award of another VB100 win. The most notable failures this test included FileMedic, FilsecLab Twister, and K7 Computer (plus a few other vendors).
Norman failed with a single false positive. VirusFighter Pro missed some WildList entries. RoboScan missed WildList threats. FileMedic made a fairly major number of false positives (46). Meanwhile Filseclab Twister racked up only 5 false positive results.
ESTsoft ALYac and BeyondTrust Blink Professional failed on WildList misses, and Commtouch Command from Commtouch (formerly Authentium) missed out with 3 false positives.
ESET NOD32 Antivirus has achieved more Virus Bulletin VB100 Awards than any other product. In order to get awarded, product must detect all In-the-Wild viruses while reporting no false positives. ESET NOD32 has never missed an In-the-Wild virus.
Copyright & Legal © 2013 BetterAntivirus.com