View Full Version : Pandemic of the botnets 2012 ...
Etrade DDoS attack ...
January 5, 2012 - "... online broker ETrade, has been the target of a sustained malicious offshore generated cyber attack. The denial-of-service attack resulted in thousands of emails flooding the broking site, prompting a cessation of services from Christmas Eve to the New Year period. According to a Fairfax report*, offshore Etrade clients were the worst affected with some countries unable to access accounts for almost two weeks. An ETrade spokesperson confirmed that while overseas clients were more profoundly affected, Australian clients had intermittent access to their accounts... The Sydney Morning Herald reported** that St George customers were also affected by the attack as its online trading service is supplied by Etrade."
January 5, 2012
January 6, 2012
Jan 5, 2012 - "... While a denial-of-service attack prevents customers and the business from trading, it can also mask other illegal activities. Observers say businesses that have denial-of-service attacks not only lose the value of the business they would have conducted but also goodwill and reputation with the customer base..."
Global Denial of Service
Summary Report - (Past 24 hours)
:fear: :spider: :mad:
Carberp on Facebook
January 18, 2012 - "... Carberp, like its predecessors ZeuS and SpyEye, infects machines by tricking punters into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites. A new configuration of the Carberp Trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer*, can be considered something of an escalation. The Carberp variant replaces any Facebook page the user navigates to with a -fake- page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page asks the mark for their first name, last name, email, date of birth, password and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account... Trusteer warns the cash voucher attack is in some ways worse than credit card fraud, because with e-cash it is the account-holder, -not- the financial institution, who assumes the liability for fraudulent transactions..."
Bot blackmails Facebook users
19 January 2012 >> http://www.h-online.com/security/news/item/Bot-blackmails-Facebook-users-1417073.html?view=zoom;zoom=1
Some Botnet Stats
Lies, Damn Lies, and Botnet Size
Koobface goes silent...
18 January 2012 - "... a pair of researchers on Tuesday published the names, aliases and photographs of a gang they accused of running a criminal enterprise known as Koobface that had primarily targeted Facebook after it cropped up in 2008. German security researchers Jan Droemer and Dirk Kollberg said that servers that ran the Koobface operation stopped responding on Tuesday morning after they released an in-depth report via Kollberg's employer, the UK anti-virus software maker Sophos*... the Koobface gang had continued to target other social networks as a long-running FBI probe failed to result in arrests in Russia... None of the five alleged members of the hacking group could immediately be traced to the reported office addresses or phone numbers in St Petersburg, Russia... The two German researchers said they suspected that the hackers had been working out of a third location in St. Petersburg..."
January 17, 2012
January 16, 2012 - "... These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor... Russia, in particular, has a reputation as a hacker haven, although it has pursued several prominent cases against spammers recently..."
Kelihos botnet -aka- Waledac
23 Jan 2012 - "... Although the Kelihos botnet remains inactive since the successful takedown in September, thousands of computers are still infected with its malware. Please visit: http://www.support.microsoft.com/botnets for free information and tools to clean your computer from malicious software..."
January 24, 2012
January 24, 2012
Carberp targets French broadband users...
January 25, 2012 - "... recently discovered a configuration of Carberp that targets Free, a French broadband Internet service provider (ISP). The attack is designed to steal debit card and bank information using a Man in the Browser (MitB) attack. Free offers an ADSL service, called Freebox, to its customers. When subscribers visit their online account page Carberp launches an HTML Injection attack after the user has logged-in. The victim is presented with a page that claims Free is having a problem processing their monthly subscription payments with the financial institution, and requests that the user update their payment account details... The malware then asks the user to submit their payment card number, expiration date, security code (CVV2), bank name, bank address, zip code and city. The victim is told that this information must be updated in order to make monthly payments and maintain their service... This latest Carberp attack is another example of fraudsters moving downstream from online banking applications to web sites that process debit and credit card payments. By launching MitB attacks that target customers of third party service providers, rather than the banks themselves, fraudsters can prey on the trust established between the victim and a non-financial entity like an ISP..."
18 January 2012
Jan 26, 2012 - "... According to our data Carberp’s main activity is confined to the region of Russia and the former Soviet republics, and this activity centered on fraud targeting the major Russian banks and stealing money from RBS (Remote Banking Service) systems... The Russian Federation is the country where the largest number of installations of Carberp has been seen*... Another interesting fact concerns a new DDoS plugin (Win32/Mishigy.AB) for Carberp. This DDoS plugin was developed in Delphi 7 and based on the network components from the Synapse TCP/IP library. Synapse components are very popular among cybercriminals for the creation of DDoS bots... Carberp is one of the biggest botnets in Russian Federation and total number of active bots is estimated to number millions of infected hosts..."
Drive-by downloads and Blackhole
26 Jan 2012 - "... The most popular drive-by malware we’ve seen recently is called Blackhole. It’s marketed and sold to cybercriminals in a typical professional crimeware kit that provides web administration capabilities. But it offers sophisticated techniques to generate malicious code. And it’s very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious... Blackhole mainly spreads malware through compromised websites that redirect to an exploit site, although we’ve also seen cybercriminals use -spam- to redirect users to these sites. This year we’ve seen numerous waves of attacks against thousands of legitimate sites. We’ve also noticed cybercriminals abusing a number of free hosting sites to set up new sites specifically to host Blackhole. Just like the Blackhole kit itself, the code injected into the legitimate sites is heavily obfuscated and polymorphic, making it harder to detect. The typical payloads we see from Blackhole exploit sites include:
Bot-type malware such as Zbot (aka Zeus)
Rootkit droppers (for example TDL and ZeroAccess)
Spearphishing attacks - gov't related targets worldwide
Malware backdoors government-targeted kit 'using Adobe 0-days'
1 Feb 2012 - "... spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed security flaws in Adobe software to implant a Trojan on compromised machines - ultimately opening a backdoor for hackers to take over systems. Once loaded, the malware also cunningly attempts to escape detection by posing as a benign Windows Update utility..."
Jan 31, 2012 - "... Seculert and Zscaler identified similar command and control (C&C) beacon patterns... matching the domain registration info of some of the C&C observed (for example, siseau .com, vssigma .com, etc.), we linked the new "MSUpdater" Trojan to previous attacks, probably conducted by the same group... The targeted attacks... share a few similar technical parameters (thus, regarded as created by the same group of attackers) arrive in emails with a malicious PDF attachment..."
Jan 31, 2012 - "... we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present... The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C)... The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan. Correlating this information with open-source intelligence (OSINT), we were able to find other reports of this Trojan within past targeted incidents, as well as a link to other incidents and compromise indicators..."
3 February 2012
Kelihos botnet remains very much dead after all
Feb 3, 2012
Kelihos botnet resurrected...
Feb 1, 2012 - "A botnet capable of delivering almost four billion spam messages per day has been confirmed resurrected — more than four months after Microsoft celebrated its untimely demise. Researchers with Kaspersky Lab* reported on Tuesday that Kelihos, a peer-to-peer botnet that also goes by the name Hlux, continues to spew spam in a variety of languages...
Update: After this article was published, Microsoft sent the following statement:
"... Microsoft is working with Kaspersky to investigate this question and will provide more information when it becomes available..."
Jan 31, 2012
Cellphone bots ...
Updated: 09 Feb 2012 - "... The -malware- was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware... the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands... the botmaster has been operating at these rates since September 2011. The botnet targets mobile users in China... Revenue generation through premium SMS, telephony, and video services is also limited to the networks of China's two largest mobile carriers... Upon running the Trojanized application, -both- the original clean software and a malicious application (Android.Bmaster*) are installed. Once the malware is installed, an outbound connection from the infected phone to a remote server is generated... SMS numbers in China tend to cost around $0.15 to $0.30 per message, and while this may not seem particularly expensive, it quickly adds up when you factor in the number of the active, infected devices on the botnet and how most users likely would not notice the infection right away. Taking our two example dates as the lower and upper bounds of the number of active infected devices, we can see the botmaster is generating anywhere between $1,600 to $9,000 per day and $547,500 to $3,285,000 per year the botnet is running..."
Last revised: 09/07/2011
CVSS v2 Base Score: 7.2 (HIGH)
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service...
Citadel botnets... rapid growth
Feb 9, 2012 - "... researchers there said that they’d observed at least five new versions of Citadel since first spotting the malware on Dec. 17, 2011. Seculert’s Aviv Raff said that means the miscreants behind Citadel are pushing out a new version of the Trojan about once a week..."
Feb 8, 2012 - "A few weeks ago, Brian Krebs reported* on Citadel, a new variant of the Zeus Trojan. Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem... They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware... Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution - an open-source malware... Seculert's Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011. The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets**..."
(Infection rate per country of several Citadel botnets, infecting over 100,000 machines)
Jan 23rd, 2012 - "... Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity... The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation..."
Waledac malware returns... with password-stealing ...
Feb 16, 2012 - "A new version of the Waledac malware has been spotted on the Internet, but unlike previous variants, which were mainly used for spamming purposes, this one steals various log-in credentials and BitCoins, a type of virtual currency... researchers from network security firm Palo Alto Networks announced in a blog post*... it also steals FTP, POP3 and SMTP user passwords, as well as .dat files for BitCoin wallets. This is the first time that Palo Alto Networks' firewall products have spotted Waledac-related activity since the original botnet was shut down two years ago... the new Waledac version is being distributed through Web sessions, probably with the help of exploits hosted on compromised websites..."
"... it is important to note that this is a -new- variant of the botnet, and not the original version..."
DNS Changer working group ...
"... Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web... there are still -millions- of PCs infected with DNSChanger... Even if the DNS Changer working group manages to get the deadline extended, the cleanup process will likely take many years. At least, that’s been the experience of the the Conficker Working Group, a similar industry consortium that was created to help contain and clean up infections from the infamous Conficker Worm. That working group was formed in 2009, yet according to the group’s latest statistics, nearly 3 million systems remain infected with Conficker. Given the Conficker Working Group’s experience, shutting down the surrogate DNS network on March 8 may actually be a faster — albeit more painful — way to clean up the problem... Home users can avail themselves of step-by-step instructions at this link* to learn of possible DNSChanger infections..."
* DNS Changer Working Group (DCWG) - Checking for DNS Changer >> http://dcwg.org/checkup.html
DNS Changer Eye Chart: http://dns-ok.us/
Cutwail botnet is back ...
DNS Changer - Surrogate servers Operation extention Request filed
Feb 22, 2012 - "... In a Feb. 17 filing with the U.S. District Court for the Southern District of New York, officials with the U.S. Justice Department, the U.S. Attorney for the Southern District of New York, and NASA asked the court to extend the March 8 deadline by more than four months to give ISPs, private companies and the government more time to clean up the mess. The government requested that the -surrogate- servers be allowed to stay in operation until July 9, 2012. The court has yet to rule on the request, a copy of which is available here (PDF)*... the six Estonian men arrested and accused of building and profiting from the DNSChanger botnet are expected to be extradited to face computer intrusion and conspiracy charges in the United States..."
DNS Changer Working Group (DCWG) - Check for DNS Changer >> http://dcwg.org/checkup.html
DNS Changer Eye Chart:
DNS configuration test pages (Eye-chart):
• http://dns-ok.us ...
Feb 2, 2012 - "... IID found at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012..."
Feb 22, 2012 - "... the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web last month. Each IP address represented at least one computer, and in some cases, numerous machines..."
DDoS attacks - H2 2011
02.22.2012 - "... launched from computers located in 201 countries around the world... DDoS attack sources have changed... new leaders: Russia (16%), Ukraine (12%), Thailand (7%) and Malaysia (6%)... zombie computers from 19 other countries ranges between 2% and 4%..."
DDoS traffic sources by country – H2 2011: http://www.securelist.com/en/images/vlill/gar_nam_pic04_en.png
ZeuS-SpyEye P2P use – banking Trojans ...
27 Feb 2012 - "New variants of the Zeusbot/SpyEye cybercrime toolkit are moving away from reliance on command-and-control (C&C) servers towards a peer-to-peer architecture... Now cybercrooks have built functionality into Zeusbot/SpyEye that allows instructions to be distributed via P2P techniques as well, eliminating the need for C&C servers. Compromised systems are now capable of downloading commands, configuration files, and executables from other bots, a write-up by security researchers at Symantec explains*... tracking banking botnet activity and identifying the cybercrooks behind such networks is likely to become more difficult as a result of the architectural changes that have come with the latest version of ZeuS/SpyEye... Other changes to the malware creation toolkit include greater reliance on UDP communications – a stateless protocol that's harder to track and dump than TCP – as well as an extra encryption layer. Both ZeuS and SpyEye are best described as cybercrime toolkits that can be used for the creation of customised banking Trojans. The code base of the two former rivals was merged last year, leading to the creation of strains designed to target mobile banking customers..."
DNS Changer gets extension for infected PCs fix...
Mar 6, 2012 - "Millions of PCs sickened by a global computer contagion known as DNSChanger were slated to have their life support yanked on March 8. But an order handed down Monday by a federal judge will delay that disconnection by 120 days to give companies, businesses and governments more time to respond to the epidemic. The reprieve came late Monday, when the judge overseeing the U.S. government’s landmark case against an international cyber fraud network agreed that extending the deadline was necessary “to continue to provide remediation details to industry channels approved by the FBI”..."
DNS Changer Eye Chart:
April 24, 2012
Tool available for those affected by the DNS-Changer
Last updated: Feb 2, 2012 - "... a restart of Windows will be necessary after the execution of the tool and a successful repair."
Download Avira DNS Repair-Tool
updated March 7, 2012 - "... new deadline is July 9, 2012..."
Zeus botnets disrupted ...
25 Mar 2012 - "... This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71* to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot). Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat. The Zbot/Zeus threat has targeted the financial sector for quite some time... Millions of dollars of fraud are a result of this family of threat and it has taken cross-industry collaboration to take effective action against it. Microsoft has partnered with FS-ISAC, NACHA, Kyrus Tech, F-Secure and others to disrupt a large portion of the command and control infrastructure of various botnets using Zbot, Spyeye and Ice IX variants of the Zeus family of malware... MMPC is committed to partnering across the industry to help disrupt threats to the Internet and our customers. We will have more to share on Project MARS and related operations as we move forward."
March 26, 2012 - "... abuse.ch's ZeuS Tracker* are currently reporting 350 C&C servers online, so there's plenty more work to do done..."
Mar 26 2012 - "... Microsoft said it has detected more than 13 million suspected infections of this malware worldwide..."
March 26, 2012
March 26, 2012
Kelihos.B botnet sinkholed...
March 28, 2012 - "... CrowdStrike has teamed up with security experts from Dell SecureWorks, the Honeynet Project and Kaspersky to take out a peer-to-peer botnet which we believe is the newest offspring of a family that has been around since 2007: Kelihos.B, a successor of Kelihos, Waledac and the Storm Worm. Traditionally, the botnets in this family are known for spamming, but the newest version is also capable of stealing bitcoin wallets from infected computers... Just like its brothers, Kelihos.B relies on a self-organizing, dynamic peer-to-peer topology to make its infrastructure more resilient against takedown attempts. It further uses a distributed layer of command-and-control servers with hosts registered in countries like Sweden, Russia, and Ukraine that are in turn controlled by the botmaster... We are working with our partners to inform ISPs about infections in their network and make sure that Kelihos.B remains safely sinkholed..."
March 28, 2012
OS versions - botted w/Kelihos.B
Mar 28, 2012
28 March 2012
File name: db95341667fb5e5553a1cb0113e21205
Detection ratio: 13/42
Analysis date: 2012-03-27 19:51:52 UTC
File name: 84cbcfababd4eafd1a8a4872b9169362
Detection ratio: 15/42
Analysis date: 2012-03-27 20:06:04 UTC
Kelihos.B - still live and social
March 29, 2012 - "... Several weeks ago, Seculert discovered that Kelihos.B had found a new and "social way" to expand, using an already-known social worm malware*, but now it had started targeting Facebook users... Up to now Seculert has identified more than 70,000 Facebook users that are infected with the Facebook worm, and sending the malicious links to their Facebook friends...
[Pie chart/infections by country]: http://3.bp.blogspot.com/-h4itoyKTpV4/T3QgNunuEGI/AAAAAAAAAFo/s4gAjtY2SrQ/s1600/fbwormstats.png
... at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm. Also, there is there is still communication activity of this malware with the Command-and-Control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam. Some might call this "a new variant", or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B."
550,000 strong Mac botnet
April 4, 2012 - "... Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507)... Over 550,000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback* modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth..."
April 06, 2012 Kaspersky - "... we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses... More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs..."
April 4th, 2012
Detection Names: Exploit:Java/Flashback.I, Trojan-Downloader:OSX/Flashback.I, Trojan:OSX/Flashback.I, Backdoor: OSX/Flashback.I
"... Manual Removal... recommended only for advanced users..."
Flashback botnet checker ...
April 09, 2012 - "This resource allows a manual pasting of a OSX systems unique identifier into a form that will show if that machine is part of the Flashback botnet.
Analysis: This tool is provided by Dr. Web who first published details on the OSX Flashback infections. It does not scale well but allows for manual checking and can be helpful for end users."
"Dear Mac OS user..."
April 09, 2012
Symantec OSX.Flashback.K Removal Tool
April 12, 2012
F-secure Flashback Removal Tool
"... tool linked above has been updated April 12th..."
Infection by OSX version - chart
April 12, 2012
Flashback numbers -not- going down - still over half a million
Graphic - 24 April 2012
April 23, 2012
Google: infected users affected by the DNSChanger malware
May 22, 2012 - "Starting today we’re undertaking an effort to notify roughly half a million people whose computers or home routers are infected with a well-publicized form of malware known as DNSChanger. After successfully alerting a million users last summer to a different type of malware, we’ve replicated this method and have started showing warnings via a special message* that will appear at the top of the Google search results page for users with affected devices...
... Our goal with this notification is to raise awareness of DNSChanger among affected users. We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results. While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices. We also can’t guarantee that our recommendations will always clean infected devices completely, so some users may need to seek additional help. These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."
DNS Changer Eye Chart:
Zbot relentless - Anti-emulations
July 3, 2012 - "A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed — with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection... The effort that has been made by the Trojan.Zbot malware writers is not limited to one, or even a couple of techniques. In most malware variants there are many simple or complicated techniques to help avoid detection... These techniques are part of ever-evolving malware techniques, especially from professional malware writers who invest a large amount of time researching new techniques to -evade- antivirus detection..."
Botnet infections in the enterprise
July 03, 2012
The scope and costs of botnet infections require a change in tactics.
Analysis: While automation is critical, automated security systems such as IDS's, firewalls, vulnerability scanning solutions, etc. are -not- a fool-proof solution and must be augmented and run by skilled practitioners. Attackers know how to bypass many security systems, and without skilled practitioners in the loop, this trend will continue...
DNSchanger shutdown ...
5 July 2012 - "An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday...
DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines. Shutting it down, however, will leave computers unable to access websites and email properly without a fix being applied. The FBI had been due to shut down DNSChanger in March, but left it up for an extra three months to allow more time for users to disinfect their systems. Companies and governments have made a big effort to clean systems with the help of the DNS Changer Working Group (DCWG)*, which was set up by security experts to manage the problems. But according to the latest DCWG data, there are still 303,867 infected systems out there..."
"... quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections..."
Grum botnet takedown ...
2012.07.18 - "... the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned... According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well..."
19 July 2012 - "... The botnet is believed to have been responsible for as much as 18% of total global spam, which amounts to approximately 18 billion messages a day..."
Week ending July 22, 2012
APTs more prolific ...
Aug 02, 2012 - "... cyberespionage malware and activity is far more prolific than imagined: (Joe Stewart - Dell Secureworks) has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing... Stewart also unearthed a private security firm located in Asia - not in China - that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's "friendly" with the U.S... Stewart plans to continue hunting down APT attackers... The full report is here*."
23 July 2012 - "... tracking numerous digital elements involved in cyber-espionage activity:
• More than 200 unique families of -custom- malware used in cyber-espionage campaigns.
• More than 1,100 domain names registered by cyber-espionage actors for use in hosting malware C2s or spearphishing.
• Nearly 20,000 subdomains of the 1,100 domains (plus a significant number of dynamic DNS domains) are used for malware C2 resolution.
This quantity of elements rivals many large conventional cybercrime operations. However, unlike the largest cybercrime networks that can contain millions of infected computers in a single botnet, cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets, each of which may only control a few to a few hundred computers at a time. Therefore, each time an "APT botnet" is discovered, it tends to look like a fairly small-scale operation. But this illusion belies the fact that for every APT botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks..."
(More detail at the Secureworks URL above.)
:fear: :mad: :fear:
Godaddy DDoS attack in progress
Last Updated: 2012-09-10 21:39:54 UTC ...(Version: 2)
Update: GoDaddy appears to make some progress getting services back online. The web site is responding again. DNS queries appear to be still timing out and logins into the site fail. (17:30 ET) GoDaddy is currently experiencing a massive DDoS attack. "Anonymous" was quick to claim responsibility, but at this point, there has been no confirmation from GoDaddy. GoDaddy only stated via twitter: "Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it." The outage appears to affect the entire range of GoDaddy hosted services, including DNS*, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy)..."
* Alternate DNS: http://188.8.131.52/
GoDaddy's network status:
"Recently Resolved Issues
Resolved September 10, 2012 at 6:41 PM
... Known Issues
No issues to report"
"... We have determined the service outage was due to a series of internal network events that corrupted router data tables... We have implemented measures to prevent this from occurring again. At no time was any customer data at risk or were any of our systems compromised...
- Scott Wagner Go Daddy CEO"
Nitol botnet takedown
13 Sep 2012 - "... the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed “Operation b70,” this legal action and technical disruption proceeded from a Microsoft study which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet... On Sept. 10, the court granted Microsoft’s request for an ex parte temporary restraining order against Peng Yong, his company and other John Does. The order allows Microsoft to host the 3322 .org domain, which hosted the Nitol botnet, through Microsoft’s newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322 .org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption. This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322 .org domain, and will help rescue people’s computers from the control of this malware... Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware; today’s action is a step toward preventing that... If you believe your computer might be infected with malware, we encourage you to visit http://support.microsoft.com/botnets as this site offers free information and tools to analyze and clean your computer..."
Sep 19, 2012 - "... Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home to those 70,000 malicious domains... graphic* provided by Microsoft..."
Sep 13, 2012 - "... Nitol... employs multiple domains from several free dynamic DNS providers, including -other- four-digit .ORG domain services such as 6600 .org, 7766 .org, 2288 .org and 8866 .org..."
(Highly recommend blocking those addresses also, if you haven't already.)
ZeroAccess botnet ...
Sep 20, 2012 - "... ZeroAccess is a very large botnet and there are millions of infections globally. Here's the USA:
... Here's Europe:
> http://www.f-secure.com/weblog/archives/ZeroAccessGoogleEarthEurope756x464.png ..."
Sep 19, 2012 - "... ZeroAccess* uses a peer-to-peer network to download plugin files which carry out various tasks designed to generate revenue for the botnet owners. Our researchers monitored this network for a period of two months to discover where in the world the peers were located and what kind of files the botnet was being instructed to download. We found the IP addresses of infected machines from a total of 198 countries... Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining..."
Last Updated: 2011-11-22 - "... The following tools were tested and worked quite fine against ZeroAccess. Kaspersky TDSSKiller has a good feature to offer a quarantine option if you want.
Ah yes, remember that it will be cleaning one trojan, and that you still have at least a ZeuS running on the system..."
New Russian DIY DDoS-bot spotted in-the-wild
Sep 28, 2012 - "... a recently released DIY DDoS bot, which according to its author is a modification of the Dirt Jumper DDoS bot*.
Sample screenshot of the command and control interface of the Russian DIY DDoS Bot:
... The bot supports SYN flooding, HTTP flooding, POST flooding and the special Anti-DDoS protection type of flooding. It has also built-in anti-antivirus features allowing it avoid detection by popular host-based firewalls, next to a feature allowing it to detect and remove competing malware bots from the system, preserving its current state for the users of the bot. Moreover, according to its author, it will not work under a virtual machine preventing potential analysis of the malicious binaries conducted by a malware researcher. Another interesting feature is the randomization of the HTTP requests using multiple user-agents in an attempt to trick anti-DDoS protection on the affected hosts. Apparently, the coder behind this malware bot, claims to have the source code of the Dirt Jumper DDoS kit, which we cannot verify for the time being given the fact that the source code for this bot isn’t currently circulating in the wild, and that there are zero advertisements within the cybercrime ecosystem offering to sell access to it..."
Botmasters recruited for attack on Banks ...
Oct 4, 2012 - "... a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date. By analyzing the details of the gang’s announcement, RSA has managed to link the cybergang’s weapon of choice to a little-known, proprietary Gozi-like Trojan, which RSA has dubbed “Gozi Prinimalka”... According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios. Previous incidents involving this Trojan, handled by RSA and other information security vendors, appear to corroborate the gang’s claims that since 2008 their Trojan has been at the source of siphoning US$5 Million from American bank accounts. Gozi Prinimalka’s similarity to the Gozi Trojan, both in technical terms and its operational aspects, suggests that the HangUp Team — a group that was previously known to launch Gozi infection campaigns — or a group closely affiliated with it, may be the troupe behind this ambitious scheme. If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two... This cyber intelligence notice is based upon ongoing research and analysis by the RSA FraudAction research team. As part of our ongoing cooperation with the security community, RSA has shared details of this information with U.S. law enforcement as well as with its RSA FraudAction Global Blocking Network partners and security teams from the partially known list of potential target U.S. banks. Still, it’s important to note that cyber criminals often make claims they do not necessarily act upon... Security teams should consider the potential urgency and applicability of this intelligence within their specific organization’s threat matrix and risk profile."
Akami attack monitor:
Oct 6, 2012 15:07 ET
50.5% above normal...
Automated Toolkits named in massive DDoS attacks against U.S. Banks
Oct 2, 2012
Severity: High Severity
Oct 01, 2012
Heavy DDoS attack on banks have taken place. Attribution is uncertain.
Analysis: The attackers used a PHP-based botnet for most of the attacks. The attacks were typically sourced from compromised web applications running vulnerable PHP code. The attackers typically upload a "web shell" to such a vulnerable site and then are able to upload, download and perform other operations on the system. Since such server systems typically have more bandwidth than the usual malware target (a Windows system on a broadband line) the attackers are able to increase their attack volume a great deal more quickly than through the use of windows malware.
ZeroAccess P2P - not C&C
Nov 6, 2012 - "... ZACCESS, which is also known as ZeroAccess or SIREFEF. It can push fake applications and other malware onto infected systems, while using its rootkit capabilities to hide from detection. The table below shows Japan places 2nd in terms of infection ranking, followed by US. In fact, Japan Regional TrendLabs received a lot of queries from our customers, which also triggered our in-depth analysis.
Backdoors typically establish each session by connecting from affected PCs to command-and-control (C&C) servers in order to receive commands from attackers. However, it’s not the case that a corresponding session is established from the C&C servers to affected PCs. Based on our analysis of BKDR_ZACCESS, it establishes bidirectional connections with other infected machines using its P2P functionality. This helps reduce the load on its C&C servers, as well as making the network more robust against a potential takedown of its C&C servers. This allows it to send and receive commands between affected PCs and not using any C&C servers.
Because of this, BKDR_ZACCESS can both be a “client” and a “server”. When a PC affected by BKDR_ZACCESS functions as server, it sends commands or other malware as if it was a C&C server. On the other hand, it functions as a client, it connects to IP addresses of affected PCs in its configuration file and update the file. It can then attempt to download and execute other malware. Thus, once infected by BKDR_ZACCESS, affected users can spread infections to other affected PCs. At the same time, they are affected by this malware as a victim... there were a total of almost 35 million active connections between the servers and affected PCs... Some variants of ZACCESS can send spam mails. It is possible that this number is in some underground markets related to cybercrime. In addition, the attackers can use this number to gauge which tactics are successful in infecting users..."
Botnet hidden in the Tor network
10 Dec 2012 - "The Security Street blog* has found a botnet client, the operator of which is hiding behind the Tor network. This trick makes the work of security experts and criminal prosecutors much more difficult. The malicious botnet software, called "Skynet", is a trojan that Security Street found on Usenet. At 15MB, the malware is relatively large and, besides junk files intended to cover up the actual purpose of the download file, includes four different components: a conventional Zeus bot, the Tor client for Windows, the CGMiner bitcoin tool and a copy of OpenCL.dll, which CGMiner needs to crack CPU and GPU hashes..."
(More detail at the h-online URL above.)
Spambot Kelihos update ...
Dec 10, 2012 - "... a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012. Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009...
Infecting removable drives: ... Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10...
Switching from .eu to .ru: Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru...
The rise of Kelihos: If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day. But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate...
So what can a network administrator do to mitigate this threat?
• Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
• Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
• Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
• Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
• Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ* ..."
Butterfly botnet takedown
Dec 11, 2012 - "The Department of Justice and the FBI, along with international law enforcement partners, announced the arrests of 10 individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States and the execution of numerous search warrants and interviews. The operation identified international cyber crime rings that are linked to multiple variants of the Yahos malicious software, or malware, which is linked to more than 11 million compromised computer systems and over $850 million in losses via the Butterfly Botnet, which steals computer users’ credit card, bank account, and other personal identifiable information... Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware..."
13 Dec 2012
Feds convict Stock Scammers ...
Dec 13, 2012 - "On Wednesday, the U.S. Justice Department announced that it had obtained convictions against a cybercrime gang that committed securities fraud through the use of botnets and spam. Oddly enough, none of the botmasters or spammers who assisted in the scheme were brought to justice or identified beyond their hacker handles... The defendants who pleaded or were found guilty in this case were convicted of orchestrating “pump-and-dump” stock scams. These are schemes in which fraudsters buy up low-priced stock, blast out millions of spam e-mails touting the stock as a hot buy and then dump their shares as soon as the share price ticks up from all of the spam respondents buying into the scam. A press release from the U.S. Attorney for the District of New Jersey* noted that ringleader of the scam, 44-year-old Christopher Rad, of Cedar Park, Texas, communicated with the spammers via Skype, addressing them by their hacker aliases, such as 'breg', 'ega', 'billybob6001' and 'be3ez12'... It’s not clear yet what botnet or other method Rahul/be3ez12 used to blast out his spam during the time he allegedly aided in these stock scams..."
"... conspiracy to commit securities fraud..."
Android botnet discovered across all major networks
Dec 18, 2012 - "A new Android spam botnet has been discovered across all major networks that sends thousands of text messages -without- a user’s permission, TheNextWeb reported. The threat, which is known at SpamSoldier, was detected on December 3rd by Lookout Security* in cooperation with an unnamed carrier partner. The malware is said to spread through a collection of infected phones that send text messages, which usually advertise free versions of popular paid games like Grand Theft Auto and Angry Birds Space, to hundreds of users each day. Once a user clicks on the link to download the game, his or her phone instead downloads the malicious app. When the app is downloaded, SpamSoilder removes its icon from the app drawer, installs a free version of the game in question and immediately starts sending spam messages. The security firm notes that the threat isn’t widespread, however it has been spotted on all major carriers in the U.S. and has potential to do serious damage..."
"... Consistent with CloudMark’s analysis**, we’ve seen a number of different spam campaigns active..."
"... The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games:
... you have to jump through some hoops to install an Android app from a random web site rather than Google Play...
...Don’t do this..."
19 Dec 2012