BKA strikes a blow against botnet operators

G DATA provides free tool for purging Dropperbot


Author: Sabrina Berkenkopf

The Federal Criminal Police Office (Bundeskriminalamt; BKA) has made a successful strike against cyber criminals by halting the distribution of Dropperbot. The main task of the malware, which, according to initial reports, has infected 11,000 computers across the world, was to steal data from infected computers – until it was discovered. Around half of the infections have been detected in Germany. Now that the perpetrators have been arrested, it is a matter of cleaning up the PCs. G DATA is providing all computer users with a free tool to detect and remove Dropperbot that works independently of the installed AV software. ... read more

Money is what matters, and visitors are money

Or: Why online casino advertising appears on legitimate websites


Author: Sabrina Berkenkopf

Gambling has always been a somewhat shady area – online and offline. In the digital world, the proportion of legal gambling sites is vanishingly small [1], in Germany at least, compared to the almost countless number of providers. Every provider is on the lookout for customers and so has to have a presence – on search engines for example. Experts at G DATA explain three of the methods currently used for increasing the level of awareness that all involve the manipulation of websites and that website visitors might come across while surfing. ... read more

COM Object hijacking: the discreet way of persistence

An Analysis of a new persistence mechanism in the wild


Author: Paul Rascagneres

G DATA SecurityLabs experts discovered a new Remote Administration Tool, which we dubbed COMpfun. This RAT supports 32-bit and 64-bit Windows versions, up to the Windows 8 operating system. The features are rather common for today’s espionage tools: file management (download and upload), screenshot taking, Keylogger functionality, code execution possibility and more. It uses the HTTPS and an asymmetric encryption (RSA) to communicate with the command and control server. The big novelty is the persistence mechanism: the malware hijacks a legitimate COM object in order to be injected into the processes of the compromised system. And it is remarkable, that this hijacking action does not need administrator rights. With this RAT, Attackers could spy on an infected system for quite a long time, as this detection evasion and persistence mechanism is indeed pretty advanced! ... read more

Author: Ralf Benzmüller

G DATA’s Malware Report H2 2013 includes the most important statistics and information regarding new malware types, websites’ threat potential as well as botnet and banking Trojan activities. Check out the essential facts. ... read more

Spam campaign still spreading: banking Trojan Bebloh circulated as email attachment

Attackers use fake invoices etc from more and more major companies


Author: SB

Another banking Trojan is now being distributed as part of the currently observed spam campaign: Bebloh. This is known for being sent as an email attachment – precisely as it is in the latest instance. It is possible that copycats have jumped onto the first scam, as experts at G DATA SecurityLabs are currently observing two very similar lines of attack running in parallel. ... read more

Author: SB, TS, RM

The attackers are sending out highly professional looking emails in the name of several large telecommunications providers and German banks: the reputation of Deutsche Telekom and Vodafone as well as that of Volksbank/Fiducia and Sparkasse is currently being misused for these waves of spam. The attackers want to plunder the bank accounts of unsuspecting customers using the Swatbanker banking Trojan. ... read more