Pandemic of the Botnets 2015
FYI...
NCCU/Europol shuts down RAMNIT Botnet
- http://www.pcmag.com/article2/0,2817,2477392,00.asp
Feb 25, 2015 - "... In partnership with Europol and local law enforcement units in The Netherlands, Italy, and Germany, the National Cyber Crime Unit (NCUU) shut down command and control servers used by a network of infected computers. The botnet, named RAMNIT, spread malware through what appeared to be trustworthy links sent via phishing emails or social networking sites. One click of the seemingly harmless URL by Windows users, and the malware would be installed. Computers would then be under the control of criminals, allowing the hackers to access personal information, steal passwords, and disable antivirus protection... National Crime Agency investigators believe RAMNIT could have contaminated more than 3 million computers worldwide — 33,000 of which are in the U.K. According to the collected data, the botnet has, so far, been used mostly to siphon money from bank accounts. Microsoft knew something was up when it noticed a spike in computer infections. The company alerted Europol, which teamed up with the Joint Cybercrime Action Taskforce (J-CAT) to take down RAMNIT. Launched in the fall as a six-month pilot program, the J-CAT taskforce will continue its efforts to combat cyber crime, working with agencies across Europe, Canada, and the U.S. to share intelligence..."
- http://nca.police.uk/news/news-listi...e-down-servers
Feb 25, 2015 - "... The NCA is now advising people to check whether their computer has been infected by downloading specialist disinfection software, which is available free of charge at CyberStreetWise* or GetSafeOnline**. The disinfection tools will identify whether a computer has been infected and, if so, disinfect it. The tool will cause no harm if used on computers that have not been infected. Those whose computers have been affected should then change passwords on banking, email, social media and other potentially sensitive online accounts..."
* https://www.cyberstreetwise.com/blog...fter-operation
** https://www.getsafeonline.org/news/ramnit/
- http://www.symantec.com/connect/blog...ment-operation
25 Feb 2015
Ramnit infections by region:
- http://www.symantec.com/connect/site..._Locations.png
:fear::fear:
'Beebone' botnet takedown
FYI...
'Beebone' botnet takedown
- http://arstechnica.com/security/2015...wn-as-beebone/
Apr 9, 2015 - "US and European police have shut down a botnet that provided a captive audience of backdoored PCs to criminals who were looking for an easy way to quickly install malware on large numbers of computers. The takedown of the Beebone botnet is something of a coup because the underlying malware was so resistant to detection. Polymorphic downloader software at the heart of the malicious program updated itself as many as 19 times a day. Beebone also relied on a pair of programs that re-downloaded each other, acting as an insurance policy should one of them be removed, authorities told the Associated Press*. "From a techie's perspective, they made it as difficult as they possibly could for us," a Europol advisory told the news organization. The takedown was a joint operation that involved the US FBI, Europol's European Cybercrime Center, and private security groups including Kaspersky Lab, Shadowserver, and McAfee. According to Europol, initial figures showed that Beebone had infected about 12,000 computers. That's a relatively small number since some botnets commandeer millions of end-user devices. Officials said there are likely many more Beebone victims. There are more than five million unique samples of the underlying downloader worm, known as W32/Worm-AAEH, with more than 205,000 samples taken from 23,000 systems in 2013 and 2014. The infected computers are spread across more than 195 countries, with the US reporting the biggest number of compromises, followed by Japan, India, and Taiwan. Infections were also hard to eradicate because the malware blocked connections to antivirus websites. The takedown was carried out by "sinkholing" the Beebone command-and-control network. Sinkholing is the process of seizing all domain names and IP addresses used to centrally control the infected machines. The whitehats performing the takedown set up their own command channel that prevented the computers from downloading malware updates or participating in any other botnet activities. To be fully free of the Beebone menace, infected computers still must be disinfected using AV software or, better yet, by having their hard drives wiped and operating systems reinstalled. Authorities are in the process of contacting Internet service providers and computer emergency response teams around the world to help identify and contact individual victims..."
* http://www.nytimes.com/aponline/2015...ybercrime.html
Apr 9, 2015
- http://www.symantec.com/connect/app#...bution-network
09 Apr 2015
- https://www.europol.europa.eu/conten...beebone-botnet
9 April 2015
___
SIMDA: (Another) Botnet Takedown
- http://blog.trendmicro.com/trendlabs...tnet-takedown/
Apr 12, 2015 - "... the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics... it modifies HOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites..."
Modified HOSTS file:
> https://blog.trendmicro.com/trendlab..._host_file.png
(More detail at TrendMicro...)
:fear::fear:
Major cybercrime ring dismantled by Europol
FYI...
Major cybercrime ring dismantled by Europol
- https://www.europol.europa.eu/conten...stigation-team
25 June 2015 - "A joint investigation team (JIT) consisting of investigators and judicial authorities from six different European countries, supported by Europol and Eurojust, has taken down a major cybercriminal group during a coordinated action in Ukraine. With on-the-spot support from Europol, Austrian and Belgian law enforcement and judicial authorities, the action in Ukraine on 18 and 19 June resulted in the arrest of five suspects, eight house searches in four different cities, and the seizure of computer equipment and other devices for further forensic examination. The aim of this JIT was to target high-level cybercriminals and their accomplices who are suspected of developing, exploiting and distributing Zeus and SpyEye malware - two well-known banking Trojans - as well as channelling and cashing-out the proceeds of their crimes. The cybercriminals used malware to attack online banking systems in Europe and beyond, adapting their sophisticated banking Trojans over time to defeat the security measures implemented by the banks. Each cybercriminal had their speciality and the group was involved in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks. On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities. This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks. The damage produced by the group is estimated to be at least EUR 2 million.
"In one of the most significant operations coordinated by the agency in recent years Europol worked with an international team of investigators to bring down a very destructive cybercriminal group. With our international partners, we are committed to fighting the threats brought about by malware and other forms of cybercrime, to realise safer technology infrastructures and online financial transactions for businesses and people the world over," said Rob Wainwright, Director of Europol. "This case demonstrates that it is only possible to combat cybercrime in a successful and sustainable way if all actors-that means investigative judges and judicial authorities- coordinate and cooperate across the borders.’’ Ingrid Maschl-Clausen, National Member of Austria to Eurojust, commented at a press conference in Vienna.
The recent action was part of the wider investigation that was launched in 2013 by the JIT members (Austria, Belgium, Finland, the Netherlands, Norway and the United Kingdom), and facilitated by Europol and Eurojust Last week’s results brings the total number of arrests in this operation to 60 – 34 who were captured as part of a ‘money mule’ operation run by Dutch law enforcement authorities.
Europol has provided crucial support to the investigation since 2013 including handling and analysis of terabytes of data, and thousands of files in the Europol Malware Analysis System; handling of thousands sensitive operational messages; production of intelligence analysis reports; forensic examination of devices; organisation of operational meetings and bi-monthly international conference calls. The enormous amount of data that was collected and processed during the investigation will now be used to trace the cybercriminals still at large... Eurojust hosted coordination meetings, bringing the judicial authorities and investigative judges together. Moreover, Eurojust provided legal advice, and assisted with the drafting of the Joint Investigation Team Agreement, as well as supported the joint investigation team during the lifetime of the entire process. Eurojust also enabled contacts at judicial level between non-EU Member States, in particular with Ukraine. Several action days took place during the course of the long-running investigation, which resulted in significant operational successes in Belgium, Estonia, Finland, Latvia, the Netherlands and Ukraine. Such results were possible thanks to intense cooperation between the JIT and law enforcement and judicial partners in Estonia, Latvia, Germany, Moldova, Poland, Ukraine and the US."
:fear::fear:
Darkode Hacking Forum dismantled
FYI...
Darkode Hacking Forum dismantled
- http://www.justice.gov/opa/pr/major-...rum-dismantled
July 15, 2015 - "The computer hacking forum known as Darkode was dismantled, and criminal charges have been filed in the Western District of Pennsylvania and elsewhere against 12 individuals associated with the forum, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney David J. Hickton of the Western District of Pennsylvania and Deputy Director Mark F. Giuliano of the FBI. “Hackers and those who profit from stolen information use underground Internet forums to evade law enforcement and target innocent people around the world,” said Assistant Attorney General Caldwell. “This operation is a great example of what international law enforcement can accomplish when we work closely together to neutralize a global cybercrime marketplace. Of the roughly 800 criminal internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world,” said U.S. Attorney Hickton. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable. This is a milestone in our efforts to shut down criminals’ ability to buy, sell, and trade malware, botnets and personally identifiable information used to steal from U.S. citizens and individuals around the world,” said Deputy Director Giuliano. “Cyber criminals should not have a safe haven to shop for the tools of their trade and Operation Shrouded Horizon shows we will do all we can to disrupt their unlawful activities.” As alleged in the charging documents, Darkode was an online, password-protected forum in which hackers and other cyber-criminals convened to buy, sell, trade and share information, ideas, and tools to facilitate unlawful intrusions on others’ computers and electronic devices. Before becoming a member of Darkode, prospective members were allegedly vetted through a process in which an existing member invited a prospective member to the forum for the purpose of presenting the skills or products that he or she could bring to the group.
Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware and, thereby gain access to, and control over, those devices. The takedown of the forum and the charges announced today are the result of the FBI’s infiltration, as part of Operation Shrouded Horizon, of the Darkode’s membership. The investigation of the Darkode forum is ongoing, and the U.S. Attorney’s Office of the Western District of Pennsylvania is taking a leadership role in conjunction with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS). The charges announced today are part of a coordinated effort by a coalition of law enforcement authorities from 20 nations to charge, arrest or search 70 Darkode members and associates around the world. The nations comprising the coalition include Australia, Bosnia and Herzegovina, Brazil, Canada, Colombia, Costa Rica, Cyprus, Croatia, Denmark, Finland, Germany, Israel, Latvia, Macedonia, Nigeria, Romania, Serbia, Sweden, the United Kingdom and the United States. Today’s actions represent the largest coordinated international law enforcement effort ever directed at an online cyber-criminal forum..."
- http://arstechnica.com/security/2015...e-crime-forum/
July 14, 2015
- http://www.reuters.com/article/2015/...0ZV11R20150715
July 15, 2015 - "... Those charged are accused of crimes including conspiring to commit computer fraud, wire fraud and money laundering, selling and using malware programs that could steal data from computers and cellphones and using "bot" networks to take over computers and send spam email."
:fear::fear: