eEye Digital Security

Hi, this appeared today as a high risk item.  Can anyone tell me which version of these I should get - or how to find out which version I need?  I'm not a techie and use Vista, if that helps.

Windows JRE/JDK 6.0: Upgrade to Update 15 or newer.

JRE/JDK 5.0: Upgrade to Update 20 or newer.

JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version.

JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version.

Thanks,

Wini

Winifred:

Can anyone tell me which version of these I should get

Yes, first of all before you do anything, go into your programs and check to make sure any older versions of Java that may be on your system are uninstalled.  After you verify this, go to the following page:  http://java.sun.com/javase/downloads/index.jsp#need

Scroll down until you find the "Java SE Runtime Environment (JRE)" and use it.

When you get to the actual page that has the download links (after the page you fill in the OS your using, etc), I would recommend selecting the "Offline Installation" package under the Available Files section.

Keep in mind, you don't necessarily need Java on your system unless you have programs that need it.  You could uninstall any old versions you have now (hence why your seeing the Retina scan result) and that should clear you of it.  I only have Java on my system for one reason - to check my Hushmail account with.

I hope this helps.

Thanks again,  Blue1978.  That did it! I followed your instructions, exactly.

Wini

from:http://news.cnet.com/8301-27080_3-10363836-245.html

Banking Trojan steals money from under your nose
by Elinor Mills

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log-in credentials but actually steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added.

The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement, Ben-Itzhak said.

"It's a next generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."

Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.

About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts, he said.

During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.

The Trojan code includes detailed instructions on how the Trojan should calculate the amount to steal from a victim's bank account.
(Credit: Finjan)

Here's how the Trojan works:

Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.

In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.

While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.

After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.

"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."

A Finjan blog post describes it like this:

    URLZone is a Trojan Kit that allows the attacker with the use of the 'URLZone Builder' to create a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants...The URLZone successfully managed to bypass the German banks' protection using 'One Time Password.' This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the the user to approve a fraudulent money transaction from his account...So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user.

The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.

Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.

The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.

This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.

People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said.

Updated 5:30 a.m. PDT to specify that the Trojan targets Firefox, Internet Explorer 6, IE7, IE8, and Opera, that is different from previous Trojans, and that it affects Windows only. Also, more technical details were added, as well as links to the report and blog post from Finjan.

From the way the researcher explains the Trojan is being delivered, Blink should be able to protect.

If the attacker is using shellcode imbeded in PDF files targeting a vulnerability, then Blink will probably detect it.

The vulnerabilties that are being targeted in Firefox and IE are probably already covered also.

As far as Norman is concerned, I am not sure whether or not there is a signature for the trojan or not.

Thanks, Blue1978.  So, if I understand you, Blink should be able to protect us - but Blink is not acting on this particular trojan - is that correct?

 What do you mean Blink is not "acting" on this particular trojan?

Your answer didn't particularly address whether or not Blink is protecting us from this trojan.  You said it 'should.'

Blink is protecting from the vulnerabilities that are being targeted and used to install the Trojan.  I do not know if the AV portion of Blink is detecting it, eEye would have to comment on that aspect since they have contact with Norman and I do not.

Winifred,

As Blue indicated, without having a copy of the described Trojan it would be hard for any AV vendor to tell you if you're protected from it with some type of AV signature.

As Blue eluded, Blink is generic host-based protection. Although we have AV (like everyone else), Blink has many different features that can protect you generically, whether at the file level (AV features like Sandbox Scanning) or at the OS level (System Protection) or network side (IPS).

From the article description:
---
"Here's how the Trojan works:
Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.
In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action."
---

It seems like Blink's IPS or System Protection would likely kick in and stop this behavior. Another safeguard in this scenario is to make sure you have the latest versions of client-side browsing software (Firefox, IE, Adobe, Java, etc.)

I hope that answers your question.

Thanks, bpatten for all that.  Way above my understanding level - but I feel comforted, anyway.  Is there any way tht I may ascertain if my system is infected with the banking trojan?

(OFF TOPIC:  But I have never been able to discover on this forum 'How To Start A New Post' and therefore - always start a new topic in the Subject Line of a prior post. . . .anyway - here's a NEW POST:)

Can anyone actually walk me thru EXACTLY how to change my registry to follow Blink's instructions re kilbit of Microsoft KB240797?  I've already backed up my registry following MS's instructions - but I just can't figure out how to actulally do the registry killbit.  Thanks, y'all!

Hi Winifred,

If your machine is already infected with it, you may see odd behavior or a Blink AV signature may pick it up. Without having a copy of the trojan its hard to say if we have a signature. You can use a variety of MS tools (Sysinternals) to see more detail about what is running on your system, which may or maynot help answer your question.

As for new posts, please visit: http://forums.eeye.com/forums/ then click on the appropriate category and once in that forum category, click on the button that says "Write a New Post".

Hope that helps.

Thanks again, bpatten.  I'll look into Sysinternals.  I don't think I have the trojan - but I do alot of online banking and was really concerned when I read that report.  Too, with your help, I actually found where to post new posts (go figure!).  Bet it was there all the time.  Ha ha ha!

     Well I did some looking around and found some links (that were known to be hosting this trojan) and I downloaded one variant of it and scanned it.  Norman did not have an actual signature for it, but when it was ran by Blink in the Sandbox, it was detected as malicious.  Please see below the alert that was show:

Event ID:  BLINK-MAL-205 
 Severity:  High 
 Description:  Blink has found a malware application 
 Alert: Yes
 Name: W32/Zbot.DBB
 Found Item: I:\load.exe
 MD5 Checksum: 91584D6E56EEC7524180AEA02A7DF0F0
 Category: Malware
 Detected by: Sandbox
 Behavior: * File length: 96256 bytes.
 Quarantine File: 01CA53D4-5C414FB0-0-W32/Zbot.DBB.QRN
 Action: Quarantined

Oh lucky ! could you give me that report which you readed .

-----------------

Ngan hang a chau