Cybercrooks have put on sale a new professional-grade Trojan toolkit called KINS that will pose plenty of problems for banks and their customers in the months and years ahead. KINS promises the ease of use of bank-account-raiding software nasty ZeuS combined with the technical support offered by the team behind Citadel (which …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 25th July 2013 13:12 GMT Paul Crawford

Secure boot, any help?

"easily infect machines running Windows 8 and x64 operating systems, and features technology to embed itself in computers so that it's activated almost as soon as the machines are powered on."

That is worrying, as anything that good/stealthy is best killed by booting the machine off a live CD to scan and nuke it. Of course, with secure boot enabled that could be a problem, though we were led to believe it would stop this sort of root-kit ability to pre-empt AV tools.

Anyone had experience of using the Bitlocker or Kaspersky rescue CDs with a Win8 machine? Did you need to disable secure boot, and was that easy enough to do?

3 0
Thursday 25th July 2013 13:18 GMT Craigie

details please

This is not the daily mail:

" and features technology to embed itself in computers so that it's activated almost as soon as the machines are powered on."

Please elaborate on 'technology'.

21 1
1. Thursday 25th July 2013 13:30 GMT nevstah
  
  Re: details please
  
  and..
  
  "so that it's activated almost as soon as the machines are powered on..."
  
  so it activates before it receives any power!? thats impressive!!
  
  "KINS is specifically designed not to infect systems in Russia and the Ukraine by avoiding computers with Russian language keyboard settings..."
  
  i'll just add a russian laguage keyboard... disaster averted!!
  
  3 0
2. Thursday 25th July 2013 13:31 GMT fixit_f
  
  Re: details please
  
  +1 on this. If I wanted to read vague, wooly journalism on IT stories I'd go to the mainstream media, not a specific tech publication.
  
  7 0
3. Thursday 25th July 2013 15:04 GMT Daniel B.
  
  Re: details please
  
  Is it a boot sector virus?
  
  Does it add itself as a service?
  
  I don't quite blame El Reg for not giving details, it might be that the press release doesn't give us the juicy bits yet.
  
  2 0
  1. Thursday 25th July 2013 16:50 GMT Anonymous Coward
    
    Re: details please
    
    @Daniel B. - >"I don't quite blame El Reg for not giving details, it might be that the press release doesn't give us the juicy bits yet."
    
    Read the security blog post that's linked in the article. They don't have much more info yet - no one has seen the malware, just a description of it by its creator/seller.
    
    0 0
4. Friday 26th July 2013 09:46 GMT diodesign
  
  Re: details please
  
  "Please elaborate on 'technology'."
  
  I was sorta hoping anyone really interested would read the chap's blog post we linked to. No matter, I've tweaked the article anyway. It's drilling down into the VBR with a bootkit.
  
  C.
  
  0 0
Thursday 25th July 2013 13:35 GMT Studley

Scope

"easily infect machines running Windows 8..."

Oh, that's a relief. For a minute there I thought we had a problem.

16 2
Thursday 25th July 2013 13:58 GMT tony2heads

using RDP

How about just blocking port 3389 unless YOU decide you need RDP. Wouldn't that help?

0 0
1. Thursday 25th July 2013 14:12 GMT Paul Crawford
  
  Re: using RDP
  
  I would have though most machines are now behind NAT and won't have port-forwarding for this. Unless, of course, there are a lot of routers with UPnP enabled that allow the malware to turn it on...
  
  0 0
  1. Thursday 25th July 2013 14:45 GMT Colin Millar
    
    Re: using RDP
    
    I remember Steve Gibson warning about uPNP (circa 2000) and the massive hole it left in any security measures you might take - I think he used to refer to it as Universal Plug n Pray - I think the FBI were also vehemently against it for a while - until MS "got with the program" I suppose.
    
    That the RDP service is on by default in Windows is ludicrous. How many people who don't know how to enable a service are going to use RDP? And if they don't know enough to enable a service they definitely shouldn't be playing with RDP.
    
    As for domestic routers - most of the manufacturers have only just stopped using a single username and password (usually "admin" and "password") for router management. Given that your router is the first line of defence this is a sorely neglected security tool.
    
    1 2
2. Thursday 25th July 2013 14:28 GMT jonathanb
  
  Re: using RDP
  
  Pretty much every router I've seen blocks port 3389, along with every other port, unless you specifically open it, so no, I don't think that will work.
  
  0 0
  1. Thursday 25th July 2013 16:23 GMT Robert Helpmann??
    
    Re: using RDP
    
    If RDP were the only vector for this to spread or communicate, then it would not be a problem. More likely, it is just one way out of several, so this could be a real problem once it has gotten into a corporate network. Using an alternative to RDP or changing the default port it uses might have more effect.
    
    1 0
Thursday 25th July 2013 13:59 GMT adnim

Raid millions of bank accounts....

Become a banker!

10 0
Thursday 25th July 2013 14:01 GMT Anonymous Coward

My bank just forced me to start using a hand held token generator to access my account, pay bills, make transfers etc. Bloody inconvenient and it times out as you are entering the codes all the time.

Is it me, or should I expect criminals to have a harder time than me to access my money. :P

0 2
1. Thursday 25th July 2013 14:24 GMT Anonymous Coward
  
  And why do you think you have afformentioned device? /headhitsdesk
  
  7 0
2. Thursday 25th July 2013 14:39 GMT Amorous Cowherder
  
  Surely if you're in IT you must be using RSA tokens for company access? No different. I hope your company has the half-decent bit of common sense to implement them or I'd start looking for a new job/contract if they don't!
  
  0 0
  1. Thursday 25th July 2013 16:26 GMT DaLo
    
    RSA Tokens
    
    Personally after RSA got hacked: http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/ and their appalling handling of the aftermath, I wouldn't go near them or trust them ever again.
    
    1 0
3. Thursday 25th July 2013 15:06 GMT Don Jefe
  
  I'm afraid this is mostly you :)
  
  The banks themselves are, generally, fairly secure, it's the users that cause the problems. If anything you should applaud your bank for implementing more security on the user end instead of just eating the loses and making them up with more fees for everyone.
  
  If there's a definable user problem with your widget you should put together a simple analysis of the issue and let the bank and the manufacturer know. I can tell you from experience that usable customer feedback is priceless. Most users just scream BROKEN SUX U GUYZ BLOW and that's really, really difficult to work with.
  
  2 0
4. Thursday 25th July 2013 15:09 GMT Daniel B.
  
  Welcome to the 21st Century!
  
  My bank just forced me to start using a hand held token generator to access my account, pay bills, make transfers etc.
  
  Yay! Welcome to the club, we've been toting keyfob tokens for e-banking since 2007, by law!!! Depending on the system used by said generator, it'll be secure enough to hamper phishing attempts. Only one bank uses SecurID, but the others use one that does seem to have the generated numbers time-fixed so that the code is only valid for a short time.
  
  I do wonder why banks in other countries haven't done this already?
  
  1 0
5. Friday 26th July 2013 02:50 GMT JaitcH
  
  The HSBC code generator is hacked
  
  @AC: My bank just forced me to start using a hand held token generator to access my account
  
  HSBC, who think they are hot sh*t when it comes to security despite their web sites being hacked, only allows a single 'SecureKey' per retail customer account although they allow commercial accounts to have two.
  
  As I have accounts in several countries it means I have an equally impressive array of secure keys - all hanging on the wall next to my work station. Fortunately, someone cracked the secure key and now I can access my bank accounts from my Samsung Note which has a code generating program in it.
  
  BTW, SecureKeys, and similar, have a battery mounted under the bottom L/H of the keyboard. THEY CATCH FIRE, have a picture, so be careful where you keep them.
  
  1 0
Thursday 25th July 2013 15:52 GMT Anonymous Coward

The only good hacker...

...is a very dead hacker.

0 1
1. Thursday 25th July 2013 16:54 GMT Anonymous Coward
  
  Re: The only good hacker...
  
  @AC 15:52 - >"The only good hacker... ...is a very dead hacker."
  
  Wrong website pal. I think you were looking for TMZ.com.
  
  0 0
Thursday 25th July 2013 16:56 GMT Robinson

So...

Do the anti-virus companies have technology to catch this, then? I mean when I power up my PC this evening, how do I know whether or not it's there?

I'm using Microsoft Security Essentials (or Windows Defender as it's known on Windows 8).

At work we have McCrapFee.

0 0
Thursday 25th July 2013 17:38 GMT Anonymous Coward

Simple fix.

"KINS is specifically designed not to infect systems in Russia and the Ukraine by avoiding computers with Russian language keyboard settings"

Install Russian as an additional language on your system and voilà!!

0 0
Friday 26th July 2013 18:44 GMT Anonymous Coward

Windows only ..

"KINS is designed to spread using popular exploit packs such as Neutrino. KINS is capable of easily infecting machines running Windows 8 and other x64 operating systems."

What other x64 operating systems does it run on?

What is the attack vector to get onto the system in the first place?

0 0