Crooks charge premium for filter-evading Trojan Cybercrooks have released a custom-built Trojan, dubbed Limbo 2, "guaranteed" by its shady creators to continually evade the top ten anti-virus products on the market. The Limbo 2 Trojan is touted as being able to bypass products from Symantec, McAfee, AVG and others to steal login credentials from online banking sessions. …
"Whoever designed this Trojan is making a lot of money, probably thousands of pounds every day,"
So the authorities have extra incentives to track them down, and not only bang them up for a few years but also claim a fortune in fines - i.e. what they've earnt, seeing as it's probably easy to find out how many clients they have :)
Might we not be missing a trick here in this vaguely FUDy report. I seriously suspect that, for example, villains have NOT recently been hard hit [in the place it matters – their pockets] by recent and substantial improvements in AV technology, squeezing them almost to the point extinction.
Instead, the numbers-game still functions, with more than enough weakly and unprotected systems inhabiting the woowoowoo.
So then, what is the inherent use of this premium piece of coding? Perhaps for those more high value targets in their better protected [hopefully] environs. But that also successfully happens now. And for years where the [no attempt to stigmatise anyone here] Enlightened Cleaning Staff, for example, are allowed free reign.
For my part, were I so criminally inclined, I would actually be staying away from this – given the publicity the sown FUD will almost certainly generate in the media. No, for me I’d stick with the neat stuff you just know will continue have a 30-60 percent success rate in infections across those soft targets and stay a little bit under the radar.
Bottom line – They still have to deliver said code, then it will only matter if you are a soft target: doomed! – but then you already are, n’est pas? Or you are a harder target and the threat is once more mitigated.
A TGIF for you…
http://www.youtube.com/watch?v=CS9ptA3Ya9E
Was there any mention of SLAs, btw? :-|
Coat just as pub o'clock approaches.
Oldest trick in the book. Who are the crooks going to complain to if the trojan doesn't work as advertised ?
At least the potential crooks will knwo what it's like to be ripped off.
Obviously if the trojan really worked then why don't the writers use it and get far more than a few thousand a day ?
Caveat empiesomethingamejig
Not even Paris is that stupid to fall for this one
These malware authors represent a clear and present danger to the security of the .... OK, you know where I'm going with this.
Let's put all those out of work ex-Cold War spooks to work in tracking down and ... um ... "disincentivising" ... these criminals .... with extreme prejudice. You'd only have to hit a few for the word to get around. Or, as an aquaintance of mine recently put it, never underestimate the persuasive powers of a small bundle of Semtex.
In the meantime, users could be encouraged to use a LiveCD for their critical browsing activities, such as banking*. Or, if capable, tech-savvy users could use a virtual machine to do their web browsing - reset to original image each time, and all changes, including any malware, are blown away - I recommend building such a VM without extensions that could weaken the isolation of the system - that's the way I do things now.
Both methods provide a clean and secure session each time.
* Previously, on The Register: I've suggested that major institutions, with government leadership and sponsorship, get together and produce a LiveCD that includes bookmarks and instructions for all major online "critical" institutions (in each country) - it could even include raw IP addresses to circumvent any DNS weaknesses.
Oh and, John, thanks for writing an article that's not along your usual lines of, "the end is nigh, we're all doomed, doomed I say". :)
I should have patented this idea when I thought of it about 10 years ago. It's not really a surprise it is now being used, what is a surprise is that it has taken this long to appear! It should have been obvious to anybody that if you can continuiously vary a trojen or virus, that you would evade the anti-virus software.
All it takes is to vary an unused part of the payload (size and content), and hide/encrypt the active payload, together with some self-modifying code to piece it all together once it is in a system. I admit that there would probably be a small 'bootstrap' to assemble the code and start it, but you could probably make this small fragments of code overlaid on random junk linked together with relative jumps, and if you were careful, you could have several variations. This should be enough to fool the antivirus systems that rely on signatures.
The developers must have been waiting for the right conditions for their business model.
Why are AV programs so crap? Why are they based on a blacklist of evil programs when they could instead base their operation on a whitelist of permitted programs? Is that so hard to arrange,as that is how the decent personal firewall programs operate? Are there any AV programs that are based on a whitelist? Am I wrong or misunderstanding things here?If anybody can enlighten me I would be grateful.
Several problems spring to mind immediately:
1) Who decides what goes onto the whitelist?
2) How does the whitelist get updated when patches are released?
3) How much bandwidth are you willing to throw at downloading new signatures for "allowed" binaries?
4) This doesn't help when it's an allowed binary that's got the problem (e.g. if javascript can send your username/password to a website without coming out of IE to do it).
There's a similar style solution that IS in use, that of signed binaries. Something like the iPhone has this already (although with the ability to get anything signed for $100, it's not much in the way of security), and I've seen people doing projects at university to add this to Linux (a long time ago).
You still have the problem of getting everything you need signed, signed. There are so many applications out there that this is a major task.
Why not let the USER decide what goes on the whitelist - something like how firewalls work, along with current antivirus programs too. "Passwordstealer.exe has just tried to run on your computer. Would you like to allow it? This is what we know about it..."
I'd MUCH rather have something like that were it possible - though admittedly, I'm not much of a computer expert so I don't know if it is possible.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
