Pandemic of the botnets 2011
FYI...
Waledac wakes up...
- http://community.websense.com/blogs/...-of-sleep.aspx
13 Jan 2011 - "... On Tuesday morning a new variant* of Waledac was distributed to members of the botnet. Yesterday it started spamming again, but now it's back to sending pharmaceutical spam promoting "the magic blue pill" which we have seen previous versions of Waledac do in the past. As in previous spam campaigns, the spammers are using redirections via compromised legitimate sites... The new spam campaign doesn't redirect to malicious content, just to spam content but that could change at any point if the people behind Waledac decides to grow the botnet. We have seen hundreds of different subjects being used in this campaign, here are some examples:
Wonderful revealing effect on your libido.
I dream u to be vigorous, dive into u dream this too
The most excellent way to satisfy her
Your gf wants your organ to be the finest worker of the year!
Want to act like a xxxstar? Bang a blu-colored pill!
FDA-approved blue-blu-colored med to heal ED!
She needs YOU to grow your PENI!
Wish to surprise and gratify your lady tonight? ..."
* http://www.virustotal.com/file-scan/...45e-1294875643
File name: erobyxwugwaugj.exe
Submission date: 2011-01-12 23:40:43 (UTC)
Result: 13/42 (31.0%)
There is a more up-to-date report (21/42) for this file.
- http://www.virustotal.com/file-scan/...45e-1295079348
File name: 0aae4f7c578bf77f36d12bd353dd3e71
Submission date: 2011-01-15 08:15:48 (UTC)
Result: 21/42 (50.0%)
- http://www.symantec.com/connect/blog...tnet-back-rise
12 Jan 2011
Distribution of the malware
> http://www.symantec.com/connect/site...mages/fig3.JPG
___
Waledac... [has stolen] almost 500,000 email passwords ...
- http://forums.spybot.info/showpost.p...0&postcount=82
2 February 2011
:mad:
DDoS botnet update - greenter.ru & globdomain.ru
FYI...
DDoS botnet update - greenter.ru & globdomain.ru
- http://www.shadowserver.org/wiki/pmw...endar/20110116
16 January 2011 - "On September 13, 2010, I posted a blog about a very active BlackEnergy DDoS botnet that was attacking a wide variety of victims.
http://www.shadowserver.org/wiki/pmw...endar/20100913
Since that post, the Command and Control servers on the greenter.ru and globdomain.ru domains have directed DDoS attacks against approximately 170 different victims. Again, these attacks are across many different industries and target some rather high profile sites. As of 9/13/10, I've seen these controllers use the following hosting providers. The list indicates the date first seen on the provider, the IP address used, the AS number of the provider, and the country of the provider:
greenter.ru hosts
* 08/07/10 - 194.28.112.135 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
* 11/18/10 - 188.95.159.114 - AS51306 - Tavria Host Network - Ukraine
* 11/30/10 - 193.186.9.60 - AS44209 - FINACTIVE - Ukraine
* 1/7/10 - 46.252.129.155 - AS52055 - ReliktBVK - Latvia
globdomain.ru hosts
* 08/07/10 - 194.28.112.134 - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
* 11/23/10 - 188.95.159.115 - AS51306 - Tavria Host Network - UA
* 11/30/10 - 193.186.9.61 - AS44209 - FINACTIVE - UA
* 1/7/10 - 46.252.129.156 - AS52055 - ReliktBVK - LV
As of this post, globdomain.ru is on 46.252.129.156 and greenter.ru is on 46.252.129.155. Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."
Darkness DDoS bot version identification guide
- http://www.shadowserver.org/wiki/pmw...endar/20110127
27 January 2011
:fear::mad:
Conficker Group... roadmap for stopping worm
FYI...
Conficker Group... roadmap for stopping worm
- http://www.informationweek.com/share...leID=229100192
Jan. 25, 2011 - "... On Monday, the Rendon Group released a report*, funded by the Department of Homeland Security, rounding up the 15-person-strong working group's "lessons learned." The report highlighted the group's biggest achievement: "preventing the author of Conficker from gaining control of the botnet." Doing so, however, required coordinating with organizations in more than 100 countries to block the more than 50,000 domains per day generated by the Conficker C worm..."
* http://www.confickerworkinggroup.org...endar/20110124
Lessons Learned ...
THANK YOU ...Conficker Group :bigthumb:
SpyEye/ZeuS merger - revisited ...
FYI...
SpyEye/ZeuS merger - revisited...
- http://krebsonsecurity.com/2011/02/r...yezeus-merger/
February 3, 2011 - "... Seculert*, a new threat alert service... includes some screen shots of the administrative panel of SpyZeuS that show the author trying to appeal to 'users' of both Trojans, by allowing 'customers' to control and update their botnets using either the traditional ZeuS or SpyEye Web interface... the author(s) has been adding new features to both the bot and the control panels nearly every day..."
* http://blog.seculert.com/2011/01/fre...ydra-head.html
- http://www.pcworld.com/article/21858...fter_zeus.html
Feb 3, 2011
___
- http://www.informationweek.com/share...leID=229201215
Feb. 4, 2011
- http://www.trusteer.com/blog/zeus-co...g-its-progress
Feb. 3, 2011
:fear::mad::fear:
Top 10 botnets - 2010 ...
FYI...
Top 10 botnets - 2010 ...
- http://www.securityweek.com/top-10-b...eased-damballa
Feb 15, 2011 - "Damballa... today released its “Top 10 Botnet Threat Report - 2010”... At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of eight percent per week... Some highlights include:
• Of the Top 10 largest botnets in 2010, six of these botnets did not exist in 2009, and only one (Monkif) was present in the 2009 Top 10 largest botnets.
• The biggest botnet of 2010 (a botnet associated with the TDL Gang)... claiming nearly 15 percent of all unique infected victims in 2010.
• The Top 10 largest botnets in 2010 accounted for approximately 47 percent of all botnet compromised victims...
• ... more than 35 percent of unique IP addresses infected were simultaneously victims of two or more different botnet campaigns...
• ... rapid evolution of many popular botnet do-it-yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs.
• ... malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators).
• The last quarter of 2010 was heavily influenced by the rapid growth of botnets utilizing the TDL master-boot-record (MBR) rootkit technology...
The full report is available here* (Direct PDF Download)"
* http://www.damballa.com/downloads/r_...ets_Report.pdf
___
- http://www.secureworks.com/research/...bot-evolution/
15 February 2011
:mad:
Cybercrime costs UK $43B a year
FYI...
Cybercrime costs UK $43B a year
- http://www.reuters.com/article/2011/...71G35320110217
Feb 17, 2011 - "Cyber crime costs the British economy some 27 billion pounds ($43.5 billion) a year and appears to be "endemic," according to the first official government estimate of the issue published on Thursday. The study by Britain's Office of Cyber Security and Information Assurance concluded digital crime is a growing, widespread problem, and attempts to address it have been hampered by a real lack of understanding and insight. Business is bearing the brunt of the costs at an estimated 21 billion pounds, with the pharmaceutical, biotech, IT, and chemical sectors the worst hit. However, government lost some 2.2 billion pounds and the cost to individual Britons amounted to 3.1 billion pounds, "The Cost of Cyber Crime" report* said. Last year, Britain's National Security Strategy placed cyber attacks as one of the top threats the country faces, along with terrorism, war and natural disasters... The report said 9.2 billion pounds was lost from intellectual property (IP) theft, 7.6 billion from industrial espionage and 2.2 billion from extortion, with large companies being targeted..."
* http://www.cabinetoffice.gov.uk/reso...of-cyber-crime
:mad::fear::mad:
ZeuS attacks 2-factor ...
FYI...
ZeuS attacks 2-factor...
- http://www.theregister.co.uk/2011/02...cation_attack/
22 February 2011 - "A variant of the ZeuS banking trojan is targeting mobile phone users who rely on their handsets to get enhanced, two-factor authentication from ING Bank Slaski in Poland... The ZeuS man-in-the-mobile attacks appear to similar to those that hit Spain in September, researchers from antivirus provider F-Secure said*. Both attacks attempt to steal so-called mTANs, short for mobile transaction authentication numbers, which an increasing number of European banks are using to provide enhanced authentication to online customers. Financial institutions send the one-time passwords in text messages. The secondary passcodes are needed to login to online accounts. The ZeuS Mitmo injects a fraudulent field into webpages that prompts users for their cellphone number and the type of handset they use. The criminals behind the operation then send the user an SMS message containing a link to malware that's customized to their Symbian or Blackberry phone. The malware automatically sends all mTANs sent to the handset to the ZeuS operators..."
* http://www.f-secure.com/weblog/archives/00002104.html
:fear::fear:
Botnets spew many trojans in February
FYI...
Botnets spew many trojans in February
- http://www.eweek.com/c/a/Security/Bo...bruary-553094/
2011-03-04 - "Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren’t far behind, according to several security reports. About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec’s February 2011 MessageLabs Intelligence Report*. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report. There was a lot of botnet activity in February, and the perpetrators appeared to be working together to some extent to distribute Trojans, according to Symantec. There were signs of integration across Zeus, Bredolab and SpyEye, as techniques associated with one malware family were being used by others, Symantec said in the report. The attacks were well-timed and used carefully targeted techniques, suggesting a “common origin” for these infected messages. One day, the messages would be propagating mainly Zeus variants, followed by a day dedicated to distributing SpyEye variants and later with Bredolab, in an alternating pattern, according to Paul Wood, MessageLabs Intelligence senior analyst. By the middle of the month, the variants propagated simultaneously with an advanced package that evaded traditional antivirus detection, he said. All the attacks used a .ZIP archive attachment containing malicious code. About 1.5 percent of blocked malware had malicious .ZIP attachments, and 79.2 percent of those files were connected to the Bredolab, Zeus and SpyEye attacks..."
* http://www.messagelabs.com/globalthreats
:fear::mad:
SpyEye/ZeuS target tracker sites ...
FYI...
SpyEye/ZeuS target tracker sites...
- http://krebsonsecurity.com/2011/03/s...tracker-sites/
March 9, 2011 - "Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result... A series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution... Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers... it is clear from these and other threads on this forum that the botmasters will continue devising new methods of disabling the trackers..."
(More detail and screenshots available at URL above.)
Data showing recent traffic spikes from DDoS attacks
- http://krebsonsecurity.com/wp-conten...pyzeusdns1.jpg
:mad::mad: