Pandemic of the botnets 2011

[AplusWebMaster]

FYI...

Waledac wakes up...
- http://community.websense.com/blogs/...-of-sleep.aspx
13 Jan 2011 - "... On Tuesday morning a new variant* of Waledac was distributed to members of the botnet. Yesterday it started spamming again, but now it's back to sending pharmaceutical spam promoting "the magic blue pill" which we have seen previous versions of Waledac do in the past. As in previous spam campaigns, the spammers are using redirections via compromised legitimate sites... The new spam campaign doesn't redirect to malicious content, just to spam content but that could change at any point if the people behind Waledac decides to grow the botnet. We have seen hundreds of different subjects being used in this campaign, here are some examples:
Wonderful revealing effect on your libido.
I dream u to be vigorous, dive into u dream this too
The most excellent way to satisfy her
Your gf wants your organ to be the finest worker of the year!
Want to act like a xxxstar? Bang a blu-colored pill!
FDA-approved blue-blu-colored med to heal ED!
She needs YOU to grow your PENI!
Wish to surprise and gratify your lady tonight? ..."
* http://www.virustotal.com/file-scan/...45e-1294875643
File name: erobyxwugwaugj.exe
Submission date: 2011-01-12 23:40:43 (UTC)
Result: 13/42 (31.0%)
There is a more up-to-date report (21/42) for this file.
- http://www.virustotal.com/file-scan/...45e-1295079348
File name: 0aae4f7c578bf77f36d12bd353dd3e71
Submission date: 2011-01-15 08:15:48 (UTC)
Result: 21/42 (50.0%)

- http://www.symantec.com/connect/blog...tnet-back-rise
12 Jan 2011

Distribution of the malware
> http://www.symantec.com/connect/site...mages/fig3.JPG
___

Waledac... [has stolen] almost 500,000 email passwords ...
- http://forums.spybot.info/showpost.p...0&postcount=82
2 February 2011

[AplusWebMaster]

FYI...

DDoS botnet update - greenter.ru & globdomain.ru
- http://www.shadowserver.org/wiki/pmw...endar/20110116
16 January 2011 - "On September 13, 2010, I posted a blog about a very active BlackEnergy DDoS botnet that was attacking a wide variety of victims.
http://www.shadowserver.org/wiki/pmw...endar/20100913
Since that post, the Command and Control servers on the greenter.ru and globdomain.ru domains have directed DDoS attacks against approximately 170 different victims. Again, these attacks are across many different industries and target some rather high profile sites. As of 9/13/10, I've seen these controllers use the following hosting providers. The list indicates the date first seen on the provider, the IP address used, the AS number of the provider, and the country of the provider:
greenter.ru hosts
* 08/07/10 - 194.28.112.135 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
* 11/18/10 - 188.95.159.114 - AS51306 - Tavria Host Network - Ukraine
* 11/30/10 - 193.186.9.60 - AS44209 - FINACTIVE - Ukraine
* 1/7/10 - 46.252.129.155 - AS52055 - ReliktBVK - Latvia
globdomain.ru hosts
* 08/07/10 - 194.28.112.134 - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
* 11/23/10 - 188.95.159.115 - AS51306 - Tavria Host Network - UA
* 11/30/10 - 193.186.9.61 - AS44209 - FINACTIVE - UA
* 1/7/10 - 46.252.129.156 - AS52055 - ReliktBVK - LV
As of this post, globdomain.ru is on 46.252.129.156 and greenter.ru is on 46.252.129.155. Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."

Darkness DDoS bot version identification guide
- http://www.shadowserver.org/wiki/pmw...endar/20110127
27 January 2011

[AplusWebMaster]

FYI...

Conficker Group... roadmap for stopping worm
- http://www.informationweek.com/share...leID=229100192
Jan. 25, 2011 - "... On Monday, the Rendon Group released a report*, funded by the Department of Homeland Security, rounding up the 15-person-strong working group's "lessons learned." The report highlighted the group's biggest achievement: "preventing the author of Conficker from gaining control of the botnet." Doing so, however, required coordinating with organizations in more than 100 countries to block the more than 50,000 domains per day generated by the Conficker C worm..."
* http://www.confickerworkinggroup.org...endar/20110124
Lessons Learned ...

THANK YOU ...Conficker Group

[AplusWebMaster]

FYI...

SpyEye/ZeuS merger - revisited...
- http://krebsonsecurity.com/2011/02/r...yezeus-merger/
February 3, 2011 - "... Seculert*, a new threat alert service... includes some screen shots of the administrative panel of SpyZeuS that show the author trying to appeal to 'users' of both Trojans, by allowing 'customers' to control and update their botnets using either the traditional ZeuS or SpyEye Web interface... the author(s) has been adding new features to both the bot and the control panels nearly every day..."
* http://blog.seculert.com/2011/01/fre...ydra-head.html

- http://www.pcworld.com/article/21858...fter_zeus.html
Feb 3, 2011
___

- http://www.informationweek.com/share...leID=229201215
Feb. 4, 2011
- http://www.trusteer.com/blog/zeus-co...g-its-progress
Feb. 3, 2011

[AplusWebMaster]

FYI...

Zbot detections - MSRT
- http://blogs.technet.com/b/mmpc/arch...with-msrt.aspx
10 Feb 2011 - "... Zbot itself is continually evolving, having undergone many changes in the last year or so, ‘updates’ to the file-based obfuscation, anti-AV defensive techniques, information stealing capabilities, configuration file protection, API hooking, pseudo-random domain generation, process injection and file infection... we can show the telemetry we’ve gathered from the MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features... Of all the changes that Zbot has undergone however, the most significant from an MSRT perspective is the move towards file infection. Since its inception, Zbot has employed process injection targeting multiple processes on the system, the extent of which is governed by the privilege level of the user who unwittingly triggers the infection. (TIP: If you’re going to run an attachment you got from an email or a link, or via Facebook, don’t elevate it to admin via UAC.) In some newer variants of Zbot in the wild, for each infected process it will hook several Windows APIs, modify and infect binary files, and infect files shared in the network. One interesting behavior to note is that the infected process thread will continually monitor and infect other processes... In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs. The API that we are most interested in however is NtCreateFile(), which is invoked upon opening files... Zbot can infect both directly and upon opening files..."

Zbot detections - charted
- http://www.microsoft.com/security/po...zbotmsrt-1.png
Zbot code injection and hooking process
- http://www.microsoft.com/security/po...zbotmsrt-2.png

- http://www.darkreading.com/taxonomy/...e/id/229216691
Feb 10, 2011

- http://www.microsoft.com/security/si...#section_4_5_1

[AplusWebMaster]

FYI...

Top 10 botnets - 2010 ...
- http://www.securityweek.com/top-10-b...eased-damballa
Feb 15, 2011 - "Damballa... today released its “Top 10 Botnet Threat Report - 2010”... At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of eight percent per week... Some highlights include:
• Of the Top 10 largest botnets in 2010, six of these botnets did not exist in 2009, and only one (Monkif) was present in the 2009 Top 10 largest botnets.
• The biggest botnet of 2010 (a botnet associated with the TDL Gang)... claiming nearly 15 percent of all unique infected victims in 2010.
• The Top 10 largest botnets in 2010 accounted for approximately 47 percent of all botnet compromised victims...
• ... more than 35 percent of unique IP addresses infected were simultaneously victims of two or more different botnet campaigns...
• ... rapid evolution of many popular botnet do-it-yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs.
• ... malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators).
• The last quarter of 2010 was heavily influenced by the rapid growth of botnets utilizing the TDL master-boot-record (MBR) rootkit technology...
The full report is available here* (Direct PDF Download)"
* http://www.damballa.com/downloads/r_...ets_Report.pdf
___

- http://www.secureworks.com/research/...bot-evolution/
15 February 2011