View Full Version : Pandemic of the botnets 2008

2008-03-20, 04:36

- http://preview.tinyurl.com/34jw2j
March 16, 2008 (USAtoday) - "...The botnet problem shows no sign of easing. Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January -- an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91 percent of all e-mails in early March, up from 64% last June, says e-mail management firm Cloudmark... smaller, multipurpose botnets spring from widely available tool kits that make it easy for anyone to infect computers, assemble a basic botnet and embark on a criminal career. Dozens of crime rings, for instance, have cropped up to run phishing Relevant Products/Services scams that lure victims into clicking on fake Web pages where they get tricked into divulging passwords and other sensitive data.
Botnets distribute phishing spam, host phishing Web pages and store phished data. Since 2005, phishers have used botnets to take aim at more than 1,750 companies and government agencies, mainly financial institutions, including 106 fresh targets in the fourth quarter of 2007, according to a survey by security data firm Cyveillance. Phishing expeditions are just one of many uses of botnets.
Some botnets crawl the Internet looking for Web pages that can be corrupted with pop-up ads selling fake anti-spyware; some implant programs on popular Web pages to harvest any sensitive personal data typed there by visitors; some repeatedly click on online advertisements to earn fraudulent "click through" revenue... Numerous indicators portend botnets are destined to increasingly corrupt consumer online transactions and range deeper into corporate and government networks..."

Botnet activity from around the world over a 7 day period
- http://damballa.com/resources/video/botArmyOverview/active_bots.html
(Flash video)


2008-03-22, 05:03

- http://www.brisbanetimes.com.au/articles/2008/03/20/1205602625560.html
March 21, 2008 - "Hackers are paying top dollar on international blackmarkets for computers from Australia that have been unknowingly hijacked and infected with spyware. A Russian malware distribution site offers $US100 for a haul of 1000 spyware-infected Australian machines, double the price offered for US machines and 30 times more than those from Asia... The Russian site, InstallsCash, offers to pay unscrupulous website operators for every 1000 machines they infect with spyware. All the website operator has to do is insert a line of code into their web page, and anyone visiting that site is infected with spyware. For instance, someone could load the code on to their website and if the site is viewed by 100,000 Australians in a day, the site operator could earn up to $10,000 in one hit, assuming all viewers are infected. Infected machines are then added to a "botnet" controlled by InstallsCash, and the party responsible for the infection is paid accordingly..."


2008-03-28, 14:28

- http://preview.tinyurl.com/338nxq
March 27, 2008 (TrendLabs blog) - "...Interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month. Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico. However, instead of using DNS poisoning method as the past attacks did, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider. Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting e-card that a user receives via email. This e-card contains a link, which when clicked downloads the malicious file Gusanito.exe... Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer... As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting e-cards at this very moment... The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this, as well."


2008-03-28, 20:24

- http://asert.arbornetworks.com/2008/03/drive-by-downloads-links-and-insights/
March 27, 2008 - "...I don’t get to spend much time digging into big, widespread attacks or specialized exploits. However, here’s a few links from my reading this morning that help keep me informed since I can’t spend all of my time digging too deeply into every event.
- ...botconomics... basically how the botnet world has been fueling a large-scale underground economy. Have a look:
http://www.vnunet.com/vnunet/news/2212403/spyware-authors-offer-dollars ...
"...Code is typically first added to a web page which may be a phishing site, a hacked site, a site hosted on a web server or even a botnet-hosted web page. Instructions are then issued to the offending botnet computers to visit the page, then download and execute the code. Once the spyware is installed, it registers with the 'seller' and the 'affiliate' is then paid. MessageLabs explained that a simple line of code can be added to an HTML page that will in turn cause a drive-by install of spyware to the computers of any visitors to that site..."


2008-03-29, 09:57
This newsletter (http://newsletters.trendmicro.com/servlet/website/ResponseForm?mgLEVTTB_TWVB_.40ev.2e_8LlmwkHJmpJLl) from Trend Micro gives some useful information and advice.

2008-04-07, 23:47
Botnets 2008 - new - "Kraken"

Kraken technical details
- http://isc.sans.org/diary.html?storyid=4256
Last Updated: 2008-04-07 20:22:36 UTC - "...<Begin Commentary> If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware. </End Commentary>..."
(More detail at the ISC URL above.)

- http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/
7 April 2008 - "... It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network. Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware..."


2008-04-08, 17:53
Update #2

- http://isc.sans.org/diary.html?storyid=4256
UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here*. There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now..."
* http://doc.emergingthreats.net/bin/view/Main/OdeRoor

(More links to detailed analysis available at the ISC URL above - bottom of page there.)


2008-04-08, 21:55
More on "Kraken":

- http://preview.tinyurl.com/6ff7lx
April 8, 2008 (Brian Krebs) - "...In the early days of bot infections, botmasters would have all of their infected PCs report to a particular Internet server to receive updates and instructions on what to spam or whom to attack. But those stationary control servers represent a single point of failure for botmasters: If security professionals can get them taken offline, the botmaster can lose control over his herd of infected machines, as the individual bots no longer know where to go to receive instructions and become stranded indefinitely, sort of like sheep without a shepherd. As a result, many botmasters have switched to using dynamic DNS because these services eliminate this single point of failure. Using dynamic DNS, the botmaster simply tells his bots to report to a particular domain name he controls, such as example.com, and the dynamic DNS provider takes care of making sure all infected machines know how to find the control server... Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code... the advice is the same: Use anti-virus, but don't depend on it to save you from risky behaviors online. Use a firewall, keep your computer and third-party software up-to-date with the latest security patches. Don't click on links sent to you unexpectedly in e-mail or instant message... configure your computer so that you run it under a limited user account for everyday use..."


2008-04-09, 06:44
More "Kraken"...

- http://asert.arbornetworks.com/2008/04/busy-day-kraken-new-storm-run-and-msft-bulletins/
April 8, 2008 - " Kraken, the spam botnet on everyone’s minds, has soaked up a good bit of out Monday evening and today. We’re going with the popular name and dubbing it Trojan.Kraken. In short, what we know and what we don’t know:
* It’s unclear if this is a variant of Bobax or Srizbi, or something new.
* A lot of the C&Cs are dead
* We analyzed samples going back through last year
* It’s a spam botnet, doesn’t appear to harm the host otherwise
* We don’t know how big it is
We’ve spent a lot of time in ASERT in the past day dissecting samples, gathering data from the community, and looking at our own analysis. Here’s some brief notes:
* It drops a file in %SYSTEM32% with a random name (lowercase characters, 2-20 characters). It sets the following registry keys to ensure it runs:
"" =C:\WINDOWS\system32\[%random_name%].exe
"" =C:\WINDOWS\system32\[%random_name%].exe

Where the random name is between 2 and 20 characters long.
* It picks a random string of lowercase characters for a service title
* It communicates with over 150 command nodes (if they all were to resolve) for instructions and templates using UDP port 447; we’re not sure if the replies are source-spoofed or not...

AV detection for the samples varies, but the naming isn’t consistent. This doesn’t appear to be the bot that ate the Internet, however, but it does go to show you that spambots are becoming a serious problem..."


2008-04-18, 04:09

- http://preview.tinyurl.com/5qk4lk
April 9, 2008 SANS-NewsBites - "Research presented at the RSA conference estimates that the largest eleven botnets cumulatively control more than one million machines and are capable of sending out 100 billion spam emails each day. The largest botnet is believed to be one known as Srizbi, controlling an estimated 315,000 machines; Bobax claims an estimated 185,000 machines, and Storm comprises about 85,000 compromised machines. The research also aims to clarify which botnets are which, as some recent reports have said that Kraken is the largest botnet, comprising more than 400,000 machines, but Kraken is believed to be another name for Bobax."


2008-04-18, 19:10

Loads.CC Bot still live...
- http://asert.arbornetworks.com/2008/04/loadscc-bot-still-live-still-targeted/
April 17, 2008 - "Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit*, CIO magazine**, 2-viruses.com***, this PC Week article**** by Scott B, and Adam T for a good background. The team is still quite active. They came up in some analysis earlier this week when we looked at an infection chain. I started digging and found that they’re still churning out new malware install sites with great regularity..."

* http://rbnexploit.blogspot.com/2007/11/rbn-76-service-team-loads-cc-and-their.html

** http://www.cio.com/article/135451/How_Gozi_s_First_Second_Unfolds_

*** http://www.2-viruses.com/article-loadscc-by-hackers-for-hackers

**** http://www.pcworld.com/article/id,139056-c,hackers/article.html

(Activity charts - see the ArborNetworks URL above.)


2008-04-21, 21:41

Bot counts
- http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts
20 April 2008 - "... Because there is not any consensus on what that lifespan might be, we have created an entropy value for all of our counts. We actually implemented it in the middle of 2007 to deal with the rampant increase of our bot/infected system counts. We realized that we may have artificially inflated the numbers that we were presenting. We suspect a lot of the values that are seen in the press or the many security reports are inflated for the same reasons.

We have three entropy values that we present for each of our graphs. The first is the one that we have been using since we started aging the data, which is a 30-day entropy. This assumes that if no activity on a specific IP was seen within 30-days, that IP should be considered dead for the purposes of counting infected systems. To further this analysis, we have also added in a 10-day and 5-day entropy charts to reflect even smaller expected lifespans of an infected system. We do not know what the correct value may be, but we suspect it is somewhere between the 10-day and 30-day charts."

(Charts available at the URL above.)

2008-04-22, 14:27

China's botnet problems grows
- http://www.securityfocus.com/brief/726
2008-04-21 - "Computers infected by Trojan horse programs and bot software are the greatest threat to China's portion of the Internet, with compromises growing more than 20-fold in the past year, the nation's Computer Emergency Response Team (CN-CERT) stated in its 2007 annual report released last week. The response organization found that the number of Chinese Internet addresses with one or more infected systems increased by a factor of 22 in 2007. The report... estimates that, of 6.23 million bot-infected computers on the Internet, about 3.62 million are in China's address space. Trojan horse programs are responsible for a range of issues, from privacy breaches to economic losses, CN-CERT said in the report... A nod to Dancho Danchev's blog*, which first noted the release of the report..."
* http://ddanchev.blogspot.com/2008/04/chinas-cert-annual-security-report-2007.html


2008-05-13, 18:47

- http://www.techworld.com/security/news/index.cfm?newsID=101458&pagtype=all
09 May 2008 - "...Having compromised 300,000 PCs around the world, it was now sending out an estimated 60 billion spam emails per day on “watches, pens, male enlargement pills”, a torrent that consumed huge amounts of processing power to keep in check. “Srizbi now produces more spam than all the other botnets combined.” said Marshal’s Bradley Anstis... “Microsoft recently announced its success combating the Storm botnet with their Malicious Software Removal Tool (MSRT). The challenge now is for the security industry to collectively turn its sights on Srizbi and the other major botnets. We look forward to seeing Microsoft target Srizbi with MSRT in the near future,” said Marshal's Anstis."
* http://www.marshal.com/pages/newsitem.asp?article=646


2008-05-14, 18:32
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://www.secureworks.com/research/threats/danmecasprox/
May 13, 2008 - Author: Joe Stewart - "Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32 .exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is an SQL-injection attack tool. When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84 .com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool... the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts. Additionally, a similar attack technique is currently being seen spreading game-password-stealing trojans from China. Whether the tool is related or just the attack syntax is shared, it is clear that SQL injection attack activity is on the rise from multiple sources..."


2008-05-23, 18:02
Do the current anti-spyware products secure us against bots?

2008-05-23, 18:17
Do the current anti-spyware products secure us against bots?
Hi djpailo,

Web Alerts only. Do not ask support questions in this forum please.You might want to ask your question in the Tavern: http://forums.spybot.info/forumdisplay.php?f=19 and get feedback there.

For questions regarding our product: Spybot-S&D Forums (http://forums.spybot.info/forumdisplay.php?f=4)

Cheers. :)

2008-05-28, 05:09

- http://www.f-secure.com/weblog/archives/00001443.html
May 27, 2008 - " It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.
We recently received a sample containing several different files:
- A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.
- And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.
The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.
Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.... The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer. The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak."


2008-06-19, 16:24

Stolen data goes to highest bidder...
- http://www.finjan.com/Pressrelease.aspx?id=1977&PressLan=1819&lan=3
June 18, 2008 - "...discovery of a server controlled by hackers (Crimeserver) containing more than 500Mb of premium data. The data included healthcare and business related data, as well as personal identifiable information (stolen Social Security Numbers). This data is part of the premium offering that the cybercriminals operating the Crimeservers were selling to the highest bidder online. The compromised data came from all around the world and contained information from individuals, businesses, airlines and healthcare providers. The report contains examples of compromised data that Finjan found on the Crimeserver, such as:
* Compromised medical related data of hospitals and publicly owned healthcare providers
* Compromised business related data of a U.S. airline carrier
* Identity theft (stolen Social Security Numbers)..."

- http://www.finjan.com/MCRCblog.aspx?EntryId=1979
June 18, 2008 - "...The Crimeware Server Business Model cost consists of:
- Affiliation network for promoting the malicious code on the Web = a couple of cents per iframe
- Crimeware Toolkit for distributing the Trojan = between $100 - $700 (depending on its capabilities)
- A Trojan and its Command and Control (C&C) application which can be bought for only $700 by purchasing the latest ZeuS toolkit, which includes an advanced phishing Trojan that sends the data encrypted + Command & Control for remote data management and control of the Trojan botnet..."
- http://www.finjan.com/MCRCblog.aspx?EntryId=1957
June 18, 2008


2008-07-02, 21:25

- http://atlas.arbor.net/summary/fastflux
"Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme. The DNS records change frequently, often every few minutes, to point to new bots. The actual nodes themselves simply proxy the request back to the central hosting location... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware. Many times a single botnet will host several different fastflux domains at once. We try to find these distinct bot networks by looking for domains whose IPs match those of other domains... Currently monitoring 551 fastflux domains..." [2008.07.02]

More SQL Injection with Fast Flux hosting
- http://isc.sans.org/diary.html?storyid=4645
Last Updated: 2008-07-01 04:46:52 UTC

Fast Flux and New Domains for Storm
- http://asert.arbornetworks.com/2008/06/fast-flux-and-new-domains-for-storm/
June 28, 2008 ...updated 1 July 2008


2008-08-07, 21:07

...Asprox lying around
- http://isc.sans.org/diary.html?storyid=4840
Last Updated: 2008-08-07 14:43:56 UTC - "...looking for something completely different I came across our old friend ASPROX (see previous diary from Marc: http://isc.sans.org/diary.html?storyid=4645 .
It seems that a lot of the domains used by this are still or again active. Typically using fast flux. The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js. This links to an IP address (still up) where a CGI script starts the road of pain.
Doing a quick search using our friend Google I ended up with 1,470,000 sites that are currently infected. Now about 591,000 or so are b.js which seems to point to inactive domains so these are unlikely to do damage. The rest is a mixture of active and inactive links. The high number of infected sites points to a couple of issues.
1. Sites are compromised and nobody notices
2. Sites that are infected are not cleaned up.
Now the number of infected sites is high, but the sky is not falling. However if you have a spare few minutes do the following Google search replacing yoursite with your domain, e.g. sans.org (just cut and paste the whole search).
site:yoursite "script src=http://*/""ngg.js"|"js.js"|"b.js"
If the search returns results, you have some cleaning to do.
I did a quick breakdown of infected sites:
.gov - 238 .com - 474K
.gov.au - 927 .org - 79.9K
.gov.uk - 2,930 .com.au - 19.5K
.gov.cn - 34K .co.uk - 19.3K
.gov.za - 424 .ca - 13.1K
.gov.br - 263
I'll let you know next week if things are getting better or worse."

- http://www.theregister.co.uk/2008/08/07/new_sql_attacks/
7 August 2008 - "...Given the prevalence of pages from supposedly reputable organizations that threaten their users, Firefox using the NoScript* extension is an effective, but by no means perfect, measure to insulate yourself against these attacks."
* http://noscript.net/


2008-08-11, 19:51

RBN (Russian Business Network) now nationalized, invades Georgia Cyber Space
- http://rbnexploit.blogspot.com/
Sat – 2008 08 09 5:00 EST - "As requested by community relay, the following is a report on the cyber war underway in parallel with conventional warfare. Many of Georgia’s internet servers were under external control from late Thursday, Russia’s invasion of Georgia commenced on Friday. It is further requested of any blog reader the information below is further relayed to the International Press and Community to ensure awareness of this situation..."
- http://www.theregister.co.uk/2008/08/11/georgia_ddos_attack_reloaded/
11 August 2008

- http://www.theinquirer.net/gb/inquirer/news/2008/08/11/russian-hackers-launch-georgia
11 August 2008


2008-08-12, 14:42

Georgian Websites Under Attack - DDoS and Defacement
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080811
11 August 2008 - "... we had not seen any other C&C servers taking aim at Georgian websites... until last Friday (August 8, 2008). The date appears to coincide with military movement that has since escalated into fighting between the two countries. Since August 8 we have witnessed multiple C&C servers attacking websites that are Georgian or sympathetic to the country. Some of the first targets we saw once again involved the Georgian government. The website for the President ( www .president.gov.ge ) and the website for the Parliament of Georgia ( www .parliament.ge ) were both targeted. However, the attacks were not limited to just government websites. We have witnessed at least six different C&C servers attacking various websites that are not government sites. In some cases the various C&C servers were and still are attacking the same websites. The following websites have come under attack in the past few days:
www .president.gov.ge
www .parliament.ge
www .kasparov.ru
One will notice that not all of these are Georgian websites. However, it is interesting to see that the same groups involved with targeting various Russian media outlets have also been taking aim at various Georgian websites... these attacks have expanded beyond just denial of service attacks. At the time of this writing the websites for the Georgian Pariliament has been defaced by a group claiming to be from South Ossetia. On the website the attackers have inserted a large image made up of several smaller side-by-side images of pictures of both the Georgian President and Adolf Hitler...
Edit: (08-11-2008 9:10 PM EDT): We have since removed a screen shot of the defaced page as we do not want to glorify the group behind it. At this time the page is still defaced and can be viewed. However, we would caution against visiting the site as it may still be under control of the attackers...
While this flurry of activity appears to coincide with recent events involving Russia and Georgia, we do not have solid information surrounding the who and the why. We have no reason to think the government is involved and can only speculate that it could be a grass root effort by the attackers. What is clear is that there are groups that are looking to keep Georgian websites offline."


2008-08-22, 20:19

- http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributing_your.html
August 22, 2008 - "The allure of cyber crime lies in its promise of quick riches, much like that of the illegal drug trade. But building a network of hacked personal computers that can distribute your data-stealing malicious software is a time-consuming process that requires a modicum of skill. That is, until recently, when several online services have emerged that promise to help would-be cyber crooks graduate from common street dealers to distributors overnight. Such is the aim of services like "loads.cc," which for a small fee will take whatever malware you provide and inject it into a pre-selected number of PCs already compromised and under the thumb of the service owners. Currently, loads.cc claims to have 264,552 hacked systems in more than a dozen countries that it can use as hosts for any malicious software that clients want to install. The latest details from the "statistics" page displayed for members says the service has gained some 1,679 new infectable nodes in the last two hours, and more than 33,000 over the past 24 hours... Other up-and-coming malware distribution services are trying to gain a foothold in this nascent criminal Web 2.0 industry. Loadsforyou.biz offers slightly more competitive rates, promising to stitch your malware into 10,000 hacked PCs in the U.S. for just $120... it's probably best to avoid visiting the sites named in this post, as they exist solely to orchestrate the infection of computer systems..."


2008-09-01, 16:53

- http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html
August 28, 2008 - "...Several noted security researchers are releasing a report* today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as Intercage, has long been a major source of spyware, adware, viruses and fake anti-virus products... Looking back several years, Atrivo's various networks were used heavily by the Russian Business Network, an ISP formerly based in St. Petersburg, Russia. RBN had gained notoriety for providing Web hosting services catering exclusively to cyber criminals. But after increased media attention, RBN dispersed its operations to other, less conspicuous corners of the Internet. The portions of Atrivo most heavily used by RBN were Hostfresh - which provides routing for Atrivo through Hong Kong and China - and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year..."

- http://asert.arbornetworks.com/2008/08/atrivointercage-called-out-as-us-rbn/
Aug. 30, 2008 - "A report* from a trio of known open source security analysts is out and covers the US-based Atrivo, aka Intercage. Dubbed the “US RBN” by some, Atrivo has been, to quote someone in the business:
"At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.” Source: Vincent Hanna, Spamhaus.org**...
we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information. The fact that this network is supposedly hosted in the US – in the bay area, in fact – is especially surprising. It is unclear to me why they were permitted to operate without any significant investigation by law enforcement..."

* http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15

** http://www.spamhaus.org/news.lasso?article=636
2008-08-29 - "...Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers..."


2008-09-01, 23:02

Machines controlled by Botnets has quadrupled in 3 months
- http://isc.sans.org/diary.html?storyid=4963
Last Updated: 2008-09-01 16:16:33 UTC = "...some of the data put out by the Shadowserver Foundation that tracks botnets. One piece of information grabbed my eye, namely that over the last 3 months, the number of infected machines quadrupled*. During the same time period, there isn't an appreciable increase in new malware, new viruses or anything that would obviously indicate why this is so. I imagine that the bad guys have gotten better about keeping machines owned, but there is one vector that we need to get much better about tracking and managing, and that's direct web-based malware. The timing, very roughly, coincides with when we started to see increase SQL injection attacks against webservers (mind you, this is an educated guess that SQL injections are a big part of this, not a statement of fact). We are very good at tracking email-based malware (including lead-the-user-to-the-bad-website variety) and certainly network based attacks. Short of spidering the web on a consistent basis, it gets difficult to find infected sites for that malware..."
* http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCount90-Days

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080905
September 05, 2008


2008-09-07, 01:13

Atrivo/InterCage - malware haven
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080906
6 September 2008 - "... we decided to do a little digging from our own data to see what we could come up with. Given that we have been familiar with Atrivo for some time, what we found was not a huge surprise. However, we thought we would provide some more information for anyone that was interested or that was still skeptical. The following information comes right from our own databases and is based upon searches for the ASN 27595 which belongs to Atrivo.
Atrivo/InterCage - ASN 27595:
Unique MD5 samples making HTTP connections: 22,626
Number of HTTP DDoS botnets (by unique IP) we have observed: 3
Number of DDoS attacks (by unique IP) from it we have observed: 10
Number of DDoS attacks (by unique IP) against it that we have observed: 26
In plain English this means that we have 22,626 different binaries that made some sort of HTTP-based connection to Atrivo's ASN. The vast majority of our binaries are quite malicious. At least three HTTP-based DDoS botnets we monitored were housed on Atrivo's ASN. From these three different HTTP-based DDos botnets we saw at least ten different attacks issued... As you can see, they have quite a bit of malware talking to them, which in turns mean it has a lot of malware and control centers on it as well. Atrivo ranks #12 on our unique MD5 list by ASN. There are only 11 other ASNs that have more malware making HTTP connections to it than Atrivo. It would appear we still have some work to do, but since one of the top 20 is the center of attention right now, we thought we would throw in our two cents. Finally, we are not saying that all systems or activity on Atrivo's ASN are malicious. However, our data along with the data of others clearly indicate that there is a significant amount of malicious activity going on there that is certainly of concern."


2008-09-09, 14:36

- http://voices.washingtonpost.com/securityfix/2008/09/estdomains_a_sordid_history_an.html
September 8, 2008 - "...for years EstDomains appeared to be the registrar of choice for the infamous Russian Business Network. You could hardly look up malicious Web site hosting nasties like -CoolWebSearch- and other spyware programs without finding records that traced back to EstDomains. That is, until the RBN's disappearing act late last year, when this publication and others began exposing RBN's ties to child pornography and financial fraud Web sites. While the RBN may have faded into the background, experts say EstDomains still remains among the top registrars for spam and scam Web sites, as well as child pornography. Working with several security experts who help law enforcement officials track down child porn sites, Security Fix identified at least two Web sites registered through EstDomains that are currently selling access to child porn... In a blog post* last month about the relationship between EstDomains and Atrivo, anti-spam organization Spamhaus.org suggested law enforcement action against the two entities was long overdue..."
* http://www.spamhaus.org/news.lasso?article=636


2008-10-09, 14:51

- http://asert.arbornetworks.com/2008/10/paper-as-the-net-churns-fast-flux-botnet-observations/
October 7, 2008 - "...Fast flux botnets are gathering a great deal of attention, and for good reason. Several groups have been working on similar research questions and have found similar results... Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins. Evidence suggests that more attackers are adopting fast-flux techniques, but very little data has been gathered to discover what these botnets are being used for... We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime including pharmacy sites, phishing and malware distribution, and that we can identify distinct botnets across multiple domain names..."


2008-10-15, 15:14

- http://www.darkreading.com/document.asp?doc_id=165919&print=true
October 14, 2008 - "... FTC today shuttered one of the world’s largest spamming operations. The Herbal King gang, aka Affking, is responsible for billions of spam messages selling prescription drugs and phony male-enhancement products. The spam ring sent spam messages offering generic versions of Levitra, Cialis, Propecia, Viagra, Lipitor, Celebrex, Zoloft, and other drugs, as well as an herbal “permanent” male-enhancement pill called VPXL, through hundreds of unsavory Websites, according to the FTC. The spammers pushed their spam runs via the Mega-D/Ozdok botnet and other botnets. A U.S. district court in Illinois ordered the gang to halt its spam operations and has frozen the assets of New Zealand resident Lance Atkinson and Jody Smith of Texas, as well as the four companies they run, Inet Ventures Pty Ltd., Tango Pay Inc., Click Fusion Inc., and TwoBucks Trading Limited. The FTC complaint charges that Atkinson is liable for product claims by the operation, and Smith for claims about the pharmaceutical products. The spammers falsely claimed to sell medications as a U.S. licensed pharmacy that sells FDA-approved generic drugs, but the drugs were shipped from India and are potentially unsafe, according to the FTC, which received 3 million complaints about the phony pharmaceutical operation. Herbal King was ranked as the No. 1 spammer by Spamhaus... The spammers used the Mega-D/Ozdok botnet... Mega-D is one of the largest spamming botnets, and at one time could send 10 billion spam messages a day. But even with the legal actions taken against the spammers both by the FTC and authorities in New Zealand, the botnets that pumped out the spam are still standing..."
* http://www.ftc.gov/opa/2008/10/herbalkings.shtm
October 14, 2008


2008-10-21, 19:13

- http://www.secureworks.com/research/threats/warezov/
10/15/08 - "...as of 2008, it appears Warezov is back in the spamming business - but operating differently this time... Warezov was historically spread via email attachments, however that activity has also largely ceased. These days, executable attachments via email are almost universally blocked. Most botnet operators have switched to installing via browser/plugin exploits or social engineering. Warezov is no different. Only a few days ago, we saw Warezov being spread through a site advertising free MP3s via download of a P2P program. No exploits were used here, just social engineering. The user has to choose to install the software, which is simply the Warezov trojan... Like many botnets, Warezov is really a payload delivery system. It can install any software the botnet operator wishes. Since the end of the stock spamming activity, Warezov has mainly served as a "fast-flux" hosting platform... Warezov accomplishes this activity by installing two components: a reverse HTTP proxy that serves the content from a hidden master server, and a DNS server which is actually a customized installation of the popular ISC BIND software compiled for Windows. Each DNS server acts as a slave which gets zone updates from the hidden master server... Regardless of what methods are in use, spam is not going away any time soon. There is clearly too much money involved in spam and as a result, botnets... Despite indictments that may exist in the U.S., there are too many obstacles, both technical and political, that make it nearly impossible to get Russian botmasters arrested..."
(Screenshots available at the URL above.)

- http://asert.arbornetworks.com/2008/10/still-spamming-stration-aka-warezov/
October 17, 2008

- http://www.darkreading.com/document.asp?doc_id=165798&print=true
October 13, 2008 - "...SecureWorks* says Srizbi remains the largest botnet, followed closely by Rustock, Ozdok, and Cutwail, which range from a minimum of 150,000 to upwards of 300,000 bots..."
* http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets
April 8, 2008

:fear: :mad:

2008-10-29, 22:11

- http://www.pcworld.com/printable/article/id,152965/printable.html
October 28, 2008 - "...Much like the bot software they install, SQL injection and similar Web attacks force victim sites to do their bidding. And they have a growing number of holes to target: In 2007 one security company, SecureWorks, found 59 flaws in applications that allowed for SQL injection attacks. So far in 2008, it has found 366... According to Joe Stewart, director of malware research at SecureWorks, for a would-be botnet criminal these Web exploit attacks are by far the preferred choice for distributing evil code... When IT workers and antivirus companies catch on to bot infections and clean them up, the crooks respond by infecting a new batch of PCs. "They're having to keep up these seeding campaigns to keep up their botnet size," Stewart says. Those seeding campaigns typically employ Web attacks that target outdated browser plug-ins and other vulnerable software. "Flash and RealPlayer [plug-ins] - those are the big ones," Stewart says. The attacks are often successful because it can be hard for users to know when a plug-in is old and susceptible, especially if it's so old as to predate automatic updates. The free Personal Software Inspector* (or PSI) from Secunia can make that task easier. It will scan for outdated software and also provide links to patches or updated versions..."
* http://secunia.com/vulnerability_scanning/online/


2008-11-04, 15:19

Secure Computing Q3 Internet Threats Report...
- http://www.securecomputing.com/pdf/SCC-InternetThrtRprt-Oct08.pdf
October 28, 2008 - Some highlights:
• Acquisition of innocent machines via email and Web-based infections continued in Q3 at about the same pace measured in Q2, with over 5,000 new zombies created every hour.
• Top Five Malware Detections in Q3 – by Prevalence
1. The infection of legitimate Web sites continues to be the main venue for the most prevalent malware outbreaks. These infections are usually induced through SQL injection attacks...
2. Following closely is a new entry among top detections: "Trojan.Hijacker.Gen," is a new generic detection name for any malware that creates backdoor access to victim computers...
3. Although detected by virtually every anti-malware product, the NetSky worm... remains high in prevalence due to zombie machines that remain infected and continue to create email traffic years later.
4. Fourth place goes to another proactive detection for any malware that uses the "FSG" runtime-packer, which continues to be in widespread use. Runtime-packers are used to quickly create new variants of a malware family and hide their malicious intent under an obfuscation layer. It should be noted that these top four malware variants account for 70% of the detected malware today.
5. Another new entry, dubbed "HIDDENEXT.Worm.Gen", also covers the "Autoruns" worm that appeared on a digg.com entry this quarter. The "Autoruns" worm spreads through removable devices, such as USB sticks and mapped network drives. See http://www.trustedsource.org/blog/150/Digging-for-Worms for more information...
• Over the course of Q3 the TrustedSource reputation system was able to identify over 600 new Web sites that have been deployed and tagged with a malicious reputation prior to serving any malicious content. Identifying these Web sites proactively through the use of traffic analysis and examination of historical connections to criminal individuals or networks is now essential as they are increasingly used to deploy zero-day/zero-hour malware code that is not detected by the traditional signature-based, anti-malware products...


2008-11-17, 23:07

- http://www.sophos.com/security/blog/2008/11/1995.html?_log_from=atom
16 November 2008 - "While the take-down of McColo received a lot of attention in the last few days, it seems not everyone was listening: the company came back online yesterday for a while thanks to TeliaSonera AB, a Swedish ISP that has a router in San Jose... Apparently those responsible for hooking up new customers at TeliaSonera don’t read security blogs. That said, the company does deserve props for its rapid response to complaints: I emailed their abuse@ address yesterday evening, received a reply a few hours later from Jimmy Arvidsson — the head of their security department — saying they were taking action to revoke the peering, and when I started work in Vancouver this morning McColo was down again. It’s great to see such a rapid result from a complaint to an ISP!... we were both too late to prevent the Rustock guys hurriedly pushing an update to at least some of their bots, switching them from McColo to a new host in Russia during the brief period of connectivity. Thus we should expect spam volumes to increase again soon (Rustock is estimated* to be capable of sending 30 billion spams per day), though how big an increase we’ll see depends largely on the number of zombie PCs the botnet’s controller was able to reach during McColo’s temporary resurrection. For now, though, volume on our spamtraps is still hovering around a quarter of what it was before the take-down..."
* http://en.wikipedia.org/wiki/Botnet#List_of_Botnets

:fear: :mad:

2008-11-18, 15:04
It seems that it was GigLinx.com, a reseller of bandwith, that managed to hook up McColo thru Telias network. It is obvious that the time was carefully choosen by McColo when they went live. During the weekends most of the ISP:s have minimal staff and they hoped that it would have passed unoticed and it would take until Monday morning for GigLinx or Telia to act on this. Now they got disconnected by Telia somewhere around 1:30 pm GMT. Thats about 9 hours efter the first post on the NANOG list that McColo had resurrected. I think it's pretty fast acting from a telco on a sunday


2008-11-18, 17:25
I think it's pretty fast acting from a telco on a sunday

Better than appearing in the Washington Post Monday. ;)

2008-11-21, 21:20

- http://www.secureworks.com/research/blog/index.php/2008/11/18/first-atrivo-now-mccolo/
November 18, 2008 - "... The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet... A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo. It’s clear that this infrastructure remains in place... Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?"


2008-11-23, 18:29
There is a rather high knowledge about spam, malware (and other bad things) among the european operators so this shouldn't be a problem. And in some countries there is laws that prohibt this kind of activity. Sure there will always be some operators and countries that are in the grey zone. But it would not be a major problem compared to the sitiuation we have today.

2008-11-26, 12:48

- http://voices.washingtonpost.com/securityfix/2008/11/spam_volumes_expected_to_rise.html
November 26, 2008 - "... The "Srizbi" botnet, a collection of more than half a million hacked PCs that were responsible for relaying approximately 40 percent of all spam sent worldwide, was knocked offline two weeks ago due to pressure from the computer security community. On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers. Turns out, Srizbi's authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates. With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there. According to FireEye*, a security company in Milpitas, Calif., that has closely tracked the botnet's actviity, a number of those rescue domains were registered Tuesday evening, apparently directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia..."
* http://blog.fireeye.com/research/2008/11/its-srizbi-trun-now.html
2008.11.25 - "... The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia... all SMTP servers that the sample tried to contact ended in .ru. One of these servers was the largest bank in Russia. This is yet another tie of Botnets to Russia..."


2008-11-27, 16:40

- http://www.theregister.co.uk/2008/11/26/srizbi_returns_from_dead/
26 November 2008 20:48 GMT - "...At time of writing, most of Srizbi's connection to the outside world had once again been severed, thanks to decisive actions taken to shut down servers located in Estonia. A single server located in Germany continued to host some nodes of the network, as researchers scrambled to get it shut down as well. "An onslaught of spam was certainly averted," said Alex Lanstein, a researcher at intrusion detection system prover FireEye, who has spent the past four weeks closely monitoring Srizbi. "Estonia stepped in in record time and kicked these guys off line"..."


2008-12-03, 18:19

MS08-067 botnet
- http://preview.tinyurl.com/6m77k9
December 1, 2008 (Computerworld) - "The worm exploiting a critical Windows bug that Microsoft Corp. patched with an emergency fix in late October (MS08-067) is being used to build a new botnet*..."
* http://forums.spybot.info/showpost.php?p=261441&postcount=45


2008-12-08, 03:31

Classmates dot com Fast Flux Malware
- http://asert.arbornetworks.com/2008/12/classmates-dot-com-fast-flux-malware/
December 5, 2008 - "The Gozi infostealer is running around, this time using new domains and a new lure: a “video invitation from your classmates”. This has been going on all week, too. In an email purporting to be from Classmates .com, you’re told to go look at a web page and join up. To view the video you need to .. you guessed it, download a new Flash player. Don’t worry, they’ll help you out... christmasclasses .com, is fast fluxing. If you can, block the hosts via a DNS server or some similar filter... The malcode you download, “AdobePlayer10.exe”, is a Gozi downloader... AV detection is fair (from VirusTotal*). Same basic thing as the Obama malcode from last month:
* downloads addons2.exe from a fast flux host using the domain name albertonixl .com.
* sends the Gozi data to a host in AS44997, BTG transit route block.
Our friends at Secure Works have an excellent writeup on Gozi**. This threat is -not- dead."

* http://www.virustotal.com/analisis/74e55e837c13187d4c4720f388a70aba

** http://www.secureworks.com/research/threats/gozi/


2008-12-09, 13:15

Mega-D botnet is back...
- http://www.theregister.co.uk/2008/12/08/mega_d_returns/
8 December 2008 - "One of the three botnets cut off by the shutdown of rogue ISP McColo is back in business. The Mega-D botnet is back on its feet and throwing off huge volumes of spam... There's generally agreement among other security firms that junk mail levels are increasing to pre-McColo shutdown levels but some confusion about which botnets has woken up to pump out the gunk. IBM's ISS security tools division also notes* increased spam levels. It reckons junk mail volumes are half what they were immediately prior to the McColo takedown, or the same level as at the start of 2008... MessageLabs ventured the opinion*** that of the three botnets hosted by McColo only Srizbi remains homeless. "With the exception of Srizbi, the affected botnets have since found alternative hosting, resulting in a return to spam levels close to those before the takedowns, with rival botnets such as Cutwail and Rustock taking-up the slack left by Srizbi's absence," it said."
* http://blogs.iss.net/archive/mccolo-2.html
December 05, 2008 - "...Over the past few days... spam volume has been picking up the pace. It has now reached 50% of the volume before the takedown... which is also equivalent to the volume we saw at the beginning of the year. The mix of spam we’re seeing is different, too. There has been a notable increase in small, HTML-based mail with minimal or no text and an embedded picture URL. This increase isn’t due to all spammers substantially changing the type of spam they send, it’s due to one botnet, Srizbi, that appears to be recovering faster than the others. The increase of this particular botnet has been noted by others... This spammer also appears to be more concerned about the size of their spam messages, because they’ve gone down from 3.5k to 2.5k on average, possibly due to a new constraint of limited bandwidth..."
** http://www.heise-online.co.uk/news/Botnet-rises-again--/112118

*** http://www.messagelabs.com/mlireport/MLIReport_Annual_2008_FINAL.pdf
(6.3MB PDF file)


2009-01-01, 15:12

- http://blog.trendmicro.com/top-8-in-08/
Dec. 30, 2008 - "...A .DLL worm, WORM_DOWNAD.A, which exploits the MS08-067 vulnerability, and exhibited routines that led security analysts to postulate that it is a key component in the development of a new botnet. More than 500,000 unique hosts spread across different countries have since been discovered to have fallen victim to this threat..."

> http://forums.spybot.info/showthread.php?p=273291#post273291

:fear: :mad:

2009-01-06, 22:17
FYI... video:

- https://www.clarifiednetworks.com/Blog/2009-01-01%2018-15
2009-01-01 - "F-Secure collected a bunch of neat log data on botnet IRC channel joins :mad: . They then asked us to visualize the joins on a world map, much akin to what we did with the Kaminsky DNS patching logs*..."
* https://www.clarifiednetworks.com/KaminskyDNS