Pandemic of the Botnets 2013

[AplusWebMaster]

FYI...

Virut botnet takedown ...
- https://krebsonsecurity.com/2013/01/...-virut-botnet/
Jan 18, 2013 - "Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals... Some of the domains identified in the takedown effort — including ircgalaxy .pl and zief .pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats... The action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a spam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010... Virut is often transmitted via removable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines behind massive malware deployment systems known as pay-per-install (PPI) networks... It’s not clear how the actions by NASK will impact the long-term operations of the Virut botnet. Many of Virut’s control servers are located outside the reach of NASK, at Russian top-level domain name registrars (.ru). Also, Virut has a failsafe mechanism built to defeat targeted attacks on its infrastructure..."

Botnets Are Everywhere – See How They Spread ...
- http://blog.trendmicro.com/trendlabs...al-botnet-map/
Jan 14, 2013 - "Cybercriminals today create and use botnets to perpetrate their criminal activities. Whether it is to send out Blackhole Exploit Kit spam or to use as entry points into organizations, the one constant is that most bots (victim computers) communicate back and forth with command and control (C&C) servers... we’re publishing a new global map* showing active C&C servers, highlighted by red dots, and bots (victim computers), highlighted by blue dots, to show you where these botnets are located in the world..."
* http://www.trendmicro.com/us/securit...map/index.html

- http://www.symantec.com/connect/blog...r-interruption
7 Jan 2013 - "... the Virut botnet is estimated at approximately 308,000 unique compromised computers that are active on a given day..."

[AplusWebMaster]

FYI...

Gozi takedown - and its distributor
- http://arstechnica.com/security/2013...roof-web-host/
Jan 24, 2013 - "... starting in 2010, the FBI launched an investigation. It didn't take long to find Gozi's creator, a 25-year-old Moscow resident named Nikita Kuzmin. By November 2010, Kuzmin had been arrested during a trip to the US; by May 2011 he pleaded guilty and agreed to forfeit his Gozi earnings, which might reach up to $50 million. Deniss Čalovskis, the 27-year-old Latvian man who allegedly coded the Web injects and customized them for various banks was picked up by Latvian police in November 2012. But it was the bulletproof host behind Gozi who turned out to be the most interesting catch — and who took longest to reel in... FBI agents collected an incredible trove of data on the Gozi conspirators. According to court documents, this data cache included wiretaps, seized servers, an interview with a Gozi distributor, and even a host of chat logs lifted from a server used by the criminals behind Gozi. Despite all that, in the end what brought down the bulletproof host was as simple as a cell phone number. With the number in hand, the FBI worked with the Romanian Police Directorate for Combating Organized Crime (DCCO), since the number was based in Bucharest. The DCCO obtained court permission to tap the phone, then agents listened to calls, watched text messages, and intercepted Web addresses and passwords entered on the handset for three months in the spring of 2012... Last month, Romanian police arrested him bringing the Gozi story to a close. The US government revealed the three arrests today. They unsealed indictments against Kuzim, Čalovskis, and Paunescu which make clear just how young all three men were when the alleged criminal behavior began. Kuzmin got started with Gozi back in 2005, when he was just 18. Čalovskis was allegedly involved since he was 20. Paunescu is only 28 now, and has allegedly been in the bulletproof hosting business for years. Kuzmin pleaded guilty and will be sentenced in the US, where he faces a maximum 95 years in prison. Extradition proceedings are underway for the other two, who could each face a max of 60 years in a US cell."
> https://en.wikipedia.org/w/index.php...29#Description

- https://krebsonsecurity.com/2013/01/...h-gozi-trojan/
Jan 23, 2013 - "... Web injects for Gozi and for customers of the ZeuS Trojan..."

- https://www.abuse.ch/?p=3294

- http://preview.tinyurl.com/audxmfh
Jan 23, 2013 - FBI.gov

- http://www.justice.gov/usao/nys/pres...oziVirusPR.php
Jan 23, 2013

[AplusWebMaster]

FYI...

Bamital takedown
- http://www.symantec.com/connect/blog...tal-bites-dust
Feb 6, 2013 - "Today we are pleased to announce the successful takedown of the Bamital botnet. Symantec has been tracking this botnet since late 2009 and recently partnered with Microsoft to identify and shut down all known components vital to the botnet's operation. Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections. Bamital’s origin can be tracked back to late 2009 and has evolved through multiple variations over the past couple of years. Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks. From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis... Clickfraud, the name used for the type of fraud committed by Bamital, is the process of a human or automated script emulating online user behavior and clicking on online advertisements for monetary gain. Bamital redirected end users to ads and content which they did not intend to visit. It also generated non-human initiated traffic on ads and websites with the intention of getting paid by ad networks. Bamital was also responsible for redirecting users to websites peddling malware under the guise of legitimate software... Bamital is just one of many botnets that utilize clickfraud for monetary gain and to foster other cybercrime activities. Many of the attackers behind these schemes feel they are low risk as many users are unaware that their computers are being used for these activities. This takedown sends a message to those attackers that these clickfraud operations are being monitored and can be taken offline..."

- http://blogs.technet.com/b/security/...edirected=true
6 Feb 2013

- http://h-online.com/-1799528
7 Feb 2013

[AplusWebMaster]

FYI...

Botnet - spreading Android trojans
- http://h-online.com/-1837356
8 April 2013 - "The Cutwail botnet, which has already been spreading the banking trojan known as Zeus, is now also trying to pass around a new Android trojan called Stels. Stels infects Android devices by pretending to be an update for Adobe Flash Player***. In case potential victims aren't on an Android device, the developers of the malware have come up with a backup plan – if the dangerous -spam- links are opened in a browser, such as Internet Explorer, on a desktop or laptop computer, users are redirected to web pages where the Blackhole exploit kit lies in wait. A security team at Dell has published a more detailed analysis* of the attack scenario..."
* http://www.secureworks.com/cyber-thr...ware-analysis/
"The Stels malware is a multi-purpose Android Trojan horse that can harvest a victim's contact list, send and intercept SMS (text) messages, make phone calls (including calls to premium numbers), and install additional malware packages... Many of the campaigns have used the IRS as a lure** due to the March 15 corporate tax return deadline and the April 15 individual tax return filing deadline..."
** http://www.secureworks.com/assets/im...ts.stels.1.png

*** http://www.secureworks.com/assets/im...ts.stels.2.png

- http://www.f-secure.com/weblog/archives/00002539.html
April 8, 2013

[AplusWebMaster]

FYI...

WordPress Botnet from Brute Force Attacks...
- https://krebsonsecurity.com/2013/04/...dpress-botnet/
12 April 2013 - "Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers... Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today... According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations. Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress. Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms... this was the message driven home Thursday in a blog post from Houston, Texas based HostGator*, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites..."

* http://blog.hostgator.com/2013/04/11...e-force-flood/
April 11, 2013

- http://blog.cloudflare.com/patching-...e-wordpress-br
April 11, 2013

- https://www.us-cert.gov/ncas/current...-Botnet-Attack
April 15, 2013

- http://atlas.arbor.net/briefs/index#-1593163055
Elevated Severity
April 15, 2013
Large-scale attacks on WordPress sites could indicate that a large botnet with high-bandwidth is being built.
Analysis: The ongoing financial sector attacks launched as part of Operation Ababil illustrate the damage that can be caused by attackers obtaining access to thousands of web-hosting servers and using them in a coordinated DDoS attack. Compared to botnets composed largely of compromised broadband-connected machines, the additional bandwidth available to most hosting providers and IDC's is attractive to attackers. There is no direct evidence that suggests exactly ultimately how these WordPress sites are intended to be used, however the methodology of attacking web platforms such as WordPress with weak passwords is very similar to the technique put into place by the actors behind Operation Ababil, who have leaned heavily upon Joomla installations to build their botnet. Strong credentials should be used proactively, and network monitoring for the Command & Control server should be put into place. Arbor customers may leverage the recent ATF policy Backdoor.WordPress.FilesMan to alert on flows involving this Command & Control server.
Additional references: http://krebsonsecurity.com/2013/04/b...dpress-botnet/
- http://nakedsecurity.sophos.com/2013...passwords-now/
Source:
- http://vr-zone.com/articles/internet...ers/19672.html

[AplusWebMaster]

FYI...

WordPress Brute-Force attacks affect Thousands of Sites
- http://blog.trendmicro.com/trendlabs...ands-of-sites/
April 22, 2013 - "... large-scale brute force attack. These attacks use brute-force techniques to log into WordPress dashboards and plant malicious code onto compromised blogs and websites. It’s important to note what these attacks aren’t. They are not compromising WordPress blogs using known vulnerabilities in unpatched versions; if anything this current attack is less sophisticated than that – it merely tries to log into the default admin account with various passwords. If it is successful in logging in, it adds code for Blackhole Exploit Kit redirection pages to the blog. We have been monitoring these attacks, and we can confirm that they are indeed taking place. Because they add distinctive URLs to the blogs they have compromised, we can identify the scale of this attack... Over a one-day period, we identified more than 1,800 distinct sites that had been compromised by this attack. This represents a significant increase over the typical number of compromised WordPress sites that we encounter over the same period, highlighting the increased activity related to this particular campaign. Both users and site administrators can help mitigate threats like these. This particular attack only targeted administrator accounts that had -not- changed their default login name (admin). It is advisable that users change this to another login name of their choice. These and other steps to mitigate against this attack are outlined in WordPress’s online manual*..."
* http://codex.wordpress.org/Brute_Force_Attacks

[AplusWebMaster]

FYI...

Fraudulent Bot Traffic surpasses Human Traffic ...
- http://www.darkreading.com/applicati...ndly=this-page
Dec 23, 2013 - "There was more bot-driven, fraudulent activity on the Web in the U.S. last quarter than there was human traffic, according to a report posted last week. According to Solve Media's Q3 bot report, fraudulent activity accounted for 51% of U.S. Web traffic in the third quarter - the first time it has surpassed everyday traffic generated by humans. The problem is even bigger in other regions of the globe, according to Solve Media. Estonia (83%), Singapore (79%), and China (77%) had the highest levels of fraudulent Web activity overall, according to the study. Suspicious mobile activity in the United States also increased, up from 22% in Q2 to 27%. Solve Media, which monitors bot traffic as part of its security and digital advertising services, said the growth of fraudulent traffic may change the way online advertisers and commercial organizations approach the Web..."
* http://news.solvemedia.com/post/7048...raffic-q4-2013

> http://solvemedia.files.wordpress.co...ic_q3_2013.png

- http://response.network-box.com/malware

[AplusWebMaster]

FYI...

Suspected Active Rovnix Botnet Controller
- https://isc.sans.edu/diary.html?storyid=17180
Last Updated: 2013-12-07 03:02:54 UTC - " We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of 37.9.53.126 (AS 44050). This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:
mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file. If the correct values are inputted the server will return an encrypted configuration file.
mashevserv[.]com/admin appears to be the admin console ...
> https://isc.sans.edu/diaryimages/ima..._adm_panel.PNG
• ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
• Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.
It also appears this malware has very little detection. This is all we currently have...
[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/37.9.53.126.html#whois
[4] http://www.xylibox.com/2013/10/rever...passwords.html ..."
Keywords: Botnet Rovnix Malware Banking Trojan

- https://www.virustotal.com/en/ip-add...6/information/

- http://google.com/safebrowsing/diagnostic?site=AS:44050

[AplusWebMaster]

FYI...

Zeroaccess botnet blocked ...
- https://www.europol.europa.eu/conten...ters-disrupted
5 Dec 2013 - "A rampant botnet has been successfully disrupted in a transatlantic operation involving Europol’s European Cybercrime Centre (EC3) and law enforcement cybercrime units from Germany, Latvia, Luxembourg, Switzerland and the Netherlands as well as Europol’s European Cybercrime Centre (EC3). Furthermore the operation was supported by Microsoft Corporation’s Digital Crimes Unit and other technology industry partners. The targeted botnet, known as Zeroaccess, is responsible for infecting over 2 million computers worldwide, specifically targeting search results on Google, Bing and Yahoo search engines, and is estimated to cost online advertisers US$ 2.7 million each month. Today’s action is expected to have significantly disrupted the botnet’s operation, increasing the cost and risk for the cybercriminals to continue doing business and freeing victims’ computers from the malware. The botnet worked as a Trojan horse affecting Windows operating systems so that malware could be downloaded. Microsoft filed a civil suit against the cybercriminals operating the Zeroaccess botnet, and received authorisation to simultaneously -block- incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes. Due to Germany’s initiative Europol’s European Cybercrime Centre (EC3) coordinated a multi-jurisdictional criminal action targeting 18 IP addresses located in Europe. Thanks to the efforts of EC3 and the involved agencies search warrants and seizures on computer servers associated with the fraudulent IP addresses were executed in several of the involved countries..."

- http://krebsonsecurity.com/2013/12/z...n-but-not-out/
Dec 5, 2013 - "... The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”). In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site..."

- http://www.botnetlegalnotice.com/zeroaccess/

[AplusWebMaster]

FYI...

Symantec sinkholes half-million in ZeroAccess Botnet
- http://www.darkreading.com/attacks-b...ndly=this-page
Sep 30, 2013 - "... Symantec has intercepted and redirected more than a half-million machines infected by the pervasive click-fraud botnet ZeroAccess, one of the world's largest botnets. In a race to get one step ahead of the botnet operators, researchers at Symantec made the move to sinkhole ZeroAccess bots when they discovered the botnet's operators were about to push a new version of the malware that fixed weaknesses to allow the botnet to be intercepted and sinkholed... ZeroAccess, which typically boasts some 1.9 million bots and has been in operation since at least 2011, is second in size only to Conficker, which, although dormant, is still spreading around the globe. ZeroAccess is, however, the biggest peer-to-peer botnet, according to Symantec. P2P botnets are tougher to tame because infected machines communicate directly to one another for updates and instructions; there is no central command-and-control that can be taken down by researchers or law enforcement. Symantec began working on ways to sinkhole the botnet this spring and, on June 29, spotted a new version of ZeroAccess malware being spread through the P2P botnet. The new version included fixes for two key design flaws in the malware that, if exploited, would have made sinkholing a snap: specifically, a relatively small list of IPs a bot can communicate with, as well as internal code that left the door open for introducing a rogue IP address - such as a sinkhole - to the bot... The majority of the infected ZeroAccess bots are consumer machines, anywhere from 80 to 90 percent, and Symantec has been working with ISPs and CERTs around the world to share information about the botnet so the infected machines can be cleaned up. Symantec also shared information on ZeroAccess bots that it wasn't able to sinkhole but were communicating with ones it captured. ZeroAccess's main moneymaking method is click fraud. The ZeroAccess gang makes tens of millions of dollars a year on these scams, which basically infect unsuspecting users with the malware that generates phony clicks on false ads for payment.
Symantec tested the activity of a click-fraud bot and found that each bot generates about 257 MB of traffic every hour, some 6.1 GB a day, as well as 42 false ad clicks an hour, or 1,008 per day. A click is worth about a penny, but with 1.9 million bots, it quickly becomes lucrative, according to Symantec. ZeroAccess is a Trojan that employs a rootkit to remain under the radar. It typically spreads via compromised websites in a drive-by download attack and uses the Blackhole Exploit Toolkit, as well as the Bleeding Life Toolkit... Symantec also notes similarities between ZeroAccess and TDL, a.k.a. TDSS and Tidserv... The attackers behind ZeroAccess are out of Eastern Europe, including Russia and the Ukraine, according to Symantec. Seventy to 80 percent of them are based in Eastern Europe, and Russia... ZeroAccess also had previously been used for Bitcoin-mining, but the gang earlier this year got out of that business and doubled down on its click-fraud activities."
* http://www.symantec.com/connect/blog...oaccess-botnet