Rustock botnet takedown...
FYI...
Rustock botnet takedown...
- http://www.theregister.co.uk/2011/03...tnet_takedown/
17th March 2011 - "Spam volumes shrank on Wednesday after the prolific Rustock botnet fell silent, reportedly as a result of a takedown action*. Rustock, which is made up of a network of compromised (malware-infected) Windows PCs, turns an illicit income for its unknown controllers by being the biggest single source of global spam... SecureWorks... last month... said the author(s) of Rustock have pioneered a variety of techniques to evade detection on infected machines and to stymie security researchers hoping to unlock the secrets of its day-to-day operations... it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains..."
* http://krebsonsecurity.com/2011/03/r...olumes-plummet
March 16th, 2011 7:05 pm
- http://labs.m86security.com/2011/03/rustock-down/
March 16th, 2011 - "... A brief look at at our spam traps today confirmed that output from Rustock did indeed dry up today. The chart below shows an index of daily spam volume changes from Rustock over the last few weeks:
- http://labs.m86security.com/wp-conte...ustockSpam.png
... lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again..."
___
Operation b107 - Rustock Botnet Takedown
- http://blogs.technet.com/b/mmpc/arch...-takedown.aspx
17 Mar 2011 6:47 PM
- http://online.wsj.com/article/SB1000...861008758.html
MARCH 18, 2011 - "... U.S. marshals accompanied employees of Microsoft's digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be "command-and-control" machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines world-wide..."
:fear::mad:
Coreflood botnet takedown ...
FYI...
Coreflood botnet takedown ...
- http://news.yahoo.com/s/afp/20110413...ernetcoreflood
April 13, 2011 WASHINGTON (AFP) – "The US authorities have disabled a vast network of virus-infected computers used by cyber criminals to steal passwords and financial information, the Justice Department and FBI announced Wednesday. The "Coreflood" botnet is believed to have operated for nearly a decade and to have infected more than two million computers around the world, they said in a joint statement. The Justice Department and FBI said charges of wire fraud, bank fraud and illegal interception of electronic communications had been filed against 13 suspects identified in court papers only as John Doe 1, John Doe 2, etc. Five computer servers and 29 Internet domain names were seized as part of the operation, described as the "most complete and comprehensive enforcement action ever taken by US authorities to disable an international botnet"... Coreflood, which exploited a vulnerability in computers running Microsoft's Windows operating systems, was used to steal usernames, passwords and other private personal and financial information, US officials said..."
- http://www.justice.gov/opa/pr/2011/A...1-crm-466.html
April 13, 2011 - More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme...
- http://krebsonsecurity.com/2011/04/u...eflood-botnet/
April 14, 2011
- http://www.fbi.gov/contact-us/field/...n-connecticut/
April 13, 2011
___
- http://www.secureworks.com/research/threats/coreflood/
June 2008
:blink:
Zeus adds Investment Fraud...
FYI...
Zeus adds Investment Fraud...
- http://www.trusteer.com/print/node/1533
April 27, 2011 - "We recently discovered and investigated a very interesting new Zeus configuration sample that uses credible looking banner advertisements on major web sites to offer high rate of return investment opportunities. This attack is targeting some of the world’s leading and most trusted websites including: AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN, and many more. Adding investment fraud to its bag of tricks is a new twist for Zeus. These attacks have only one purpose – to lure users into investing their money through a very convincing and professional looking website, https ://ursinvestment .com, which is a fraud. We traced several examples of this configuration file to attacks on leading websites. In one case, the Zeus mechanism embeds banners on the targeted websites which -redirect- to https ://ursinvestment .com. We were surprised to see how well integrated the banner designs were with the attacked websites... The website is hosted on an IP address (178.18.243.227) that originates from Germany. Huan-jun-net, an unknown network, is responsible for hosting the website..."
(Screenshots and more detail available at the Trusteer URL above.)
- http://www.fbi.gov/news/testimony/cy...-and-terrorism
April 12, 2011 - "... The Booming Business of Botnets: ... The botnets run by criminals could be used by cyber terrorists or nation states to steal sensitive data, raise funds, limit attribution of cyber attacks, or disrupt access to critical national infrastructure. Today’s botnets are often modular and can add or change functionality using internal update mechanisms... Some criminals rent or sell their botnets or operate them as a specialized portion of an ad hoc criminal organization. At least one botnet kit author implemented a copy protection scheme, similar to major commercial software releases, which attempts to limit unauthorized use of the botnet kit. Botnets that specialize in data exfiltration are able to capture the contents of encrypted webpages and modify them in real time. When properly configured, criminals can ask additional questions at login or modify the data displayed on the screen to conceal ongoing criminal activity. Criminals purchase the base kits for a few thousand dollars and can pay for additional features to better target specific webservices..."
:mad: :mad:
RBN activity seen - ISC ...
FYI...
RBN activity seen - ISC ...
- http://isc.sans.org/diary.html?storyid=10888
Last Updated: 2011-05-17 14:05:17 UTC - "... latest log excursion started with two alerts from the ISC poll feature we have on the index page... other odd thing was that these two requests came in very close to each other but look very differently. If you look at the two IP addresses (91.214.45.223 and 212.117.165.179), it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's "checkip" feature [1] shows that these are suggested to be part of the Russian Business Network... Got quite a few hits like that from AS 5577 hosts*..."
(More detail at the ISC URL above.)
[1] http://threatstop.com/checkip
* http://www.google.com/safebrowsing/d...c?site=AS:5577
:mad::fear:
Mariposa botnet is alive ...
FYI...
Mariposa botnet is alive...
- http://blog.trendmicro.com/mariposap...he-rise-again/
May 25, 2011 - "... despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name — Mariposa. We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same. WORM_PALEVO is a modularized bot mainly used to perform distributed denial-of-service (DDoS) attacks and to download other files. As a commercial bot, its modules can be separately bought should herders want to add features such as propagation, browser monitoring and hijacking, cookie stuffing, and flooding and download routines to their creations. The bots communicate with their C&C server using UDP, which firewall devices do not typically block..."
> http://blog.trendmicro.com/wp-conten.../05/PALEVO.jpg
:fear::mad:
FBI scrubbed 19,000 PCs snared by Coreflood botnet
FYI...
FBI scrubbed 19,000 PCs snared by Coreflood botnet
- http://krebsonsecurity.com/2011/06/f...eflood-botnet/
June 21, 2011 - "The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built. In April, the Justice Department and the FBI were granted authority to seize control over Coreflood, a criminal botnet that enslaved millions of computers. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running..."
> http://krebsonsecurity.com/wp-conten...odjune2011.jpg
- http://www.secureworks.com/research/...reflood-report
August 6, 2008
:spider::police:
Butterfly botnet - steals financial information
FYI...
Butterfly botnet - steals financial information
- http://www.darkreading.com/taxonomy/...e/id/231000729
June 29, 2011 - "A financial-fraud botnet built with the same malware kit used in the now-defunct Mariposa botnet remains active after arrests this month of two Eastern European men who allegedly ran it. Researchers at Unveillance, Panda Labs, and Damballa have been studying the botnet, which has been dubbed "EvilFistSquad" by Damballa and "Metulji" by Unveillance and Panda, for some time now. Unveillance and Panda Labs today announced that the botnet has hit businesses and individuals across 172 or more countries, including the U.S., Russia, Brazil, China, Great Britain, India, and Iran. The botnet uses the Butterfly Bot Kit, a.k.a. Palevo, Pilleuz, and Rimecud, the malware that was used by the Mariposa botnet... researchers say the new Metulji/EvilFistSquad botnet uses Butterfly Bot malware to infect its victims, and then steals bank account credentials and other personal information. The worm spreads via removable drives, namely USB sticks. The researchers say that while some of the botnet's domains were taken down, several other domains are still up, running, and harvesting stolen information from victim machines..."
:mad: