View Full Version : Pandemic of the botnets 2010

2010-01-18, 18:04

Conficker worm - Akamai report
- http://www.computerworld.com/s/article/9145018/Conficker_worm_hasn_t_gone_away_Akamai_says?
January 15, 2010 - "Variants of the Conficker worm were still active and spreading* during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies... During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer. Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent..."
* http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking#toc12

Conficker Working Group
- http://www.confickerworkinggroup.org/wiki/

> http://www.team-cymru.org/Monitoring/Graphs/

- http://blog.trendmicro.com/where-in-the-world-is-downadconficker/
Jan 26, 2010


2010-01-30, 13:55

Pushdo DDoS'ing or Blending In?
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129
29 January 2010 - "Is your site on the list we have posted here* or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses... it seems the Pushdo** botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites..."

* http://www.shadowserver.org/wiki/uploads/Calendar/pushdo_sites.txt

** http://www.secureworks.com/research/threats/pushdo/

>>> (More detail at the Shadowserver URL above.)

(Hundreds) under bizarre SSL assault
- http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/
29 January 2010 20:55 GMT

- http://isc.sans.org/diary.html?storyid=8125
Last Updated: 2010-01-30 11:09:16 UTC

- http://www.m86security.com/labs/i/Malicious-Fake-ABA-Websites-,trace.1230~.asp
January 26, 2010

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=222600679
Feb. 1, 2010

- http://isc.sans.org/diary.html?storyid=8131
Last Updated: 2010-02-02 15:57:18 UTC


2010-02-11, 14:02

Russian botnet tries to kill rival
- http://www.computerworld.com/s/article/9154618/New_Russian_botnet_tries_to_kill_rival?
February 9, 2010 - "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses. Trojans such as Zeus and Spy Eye steal online banking credentials..."

- http://www.theregister.co.uk/2010/02/09/spyeye_bots_vs_zeus/
9 February 2010


2010-02-17, 22:33

E-mail malware prolific
- http://www.theregister.co.uk/2010/02/17/spam_botnet_trends/
17 February 2010 - "... the Lethic botnet*** has returned from the grave since it was decapitated by the combined efforts of security firms and ISPs in early January... Symantec warned** on Wednesday about a new targeted email attack designed to seed agents of the Cutwail botnet on corporate systems. Botnet clients offer a handy tool for information stealing and launching denial of service attacks, as well as distributing spam. A recent study by net security firm Damballa ranks the ten worst botnets by number of infections within enterprise networks. This survey* rates the infamous ZeuS spyware agent as the greatest menace to corporate security, with the Koobface worm, which spreads via messages on social networks, a close second."
* http://blog.damballa.com/?p=569
February 16, 2010

** http://www.symantec.com/connect/blogs/targeted-attacks-now-using-bredolab-malware
February 17, 2010

*** http://www.m86security.com/labs/i/Lethic-is-Back-in-the-Game,trace.1241~.asp
February 16, 2010

- http://urgentcomm.com/networks_and_systems/mag/user-data-security-threats-201002/
Feb 1, 2010 - "... the black market for corporate information is now worth more than the international drug trade, and these thieves' practices have become a sophisticated operation that often involves hiring affiliates willing to install malicious software on thousands of devices for as much as $100 per device..."


2010-02-18, 10:46

ZeuS infects nearly 2,500 companies...
- http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html
FEBRUARY 17, 2010 - "Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach... Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found. In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email. They also broke into computers at 10 U.S. government agencies... The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form... Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught...There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military..."

- http://www.theregister.co.uk/2010/02/18/massive_hack_attack/
18th February 2010 - "... The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies... The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac..."


2010-02-25, 15:48

Waledac decapitated...
- http://www.theregister.co.uk/2010/02/25/ms_waledac_takedown/
25 February 2010 - "Microsoft has won a court-issued take-down order against scores of domains associated with controlling the spam-spewing Waledac botnet. The software giant's order allows the temporary cut-off of traffic to -277- Internet domains that form command and control nodes for the network of compromised machines. Infected (zombie) machines are programmed to regularly poll these control points for instructions and spam templates. The .com domains, registered in China, will be sin-binned by VeriSign, at least temporarily decapitating the network..."

Waledac Tracker Summary Data
- http://www.sudosecure.net/waledac/index.php

- http://microsoftontheissues.com/cs/blogs/mscorp/archive/2010/02/24/cracking-down-on-botnets.aspx
24 February 2010

- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100324
24 March 2010 - "... while Waledac was not the *worst* or "spammiest" botnet out there, this effort was not in vain. Success is not measured in the percentage of spam reduced over a weeks time. Success in this arena is in the advancement of the 'arsenal' and in breaking new ground in the analysis and disruption of 'notorious' botnets, no matter how they're defined :) "


2010-03-04, 02:41

Mariposa botnet takedown
- http://www.theregister.co.uk/2010/03/03/mariposa_botnet_bust_analysis/
3 March 2010 - "... Defence Intelligence teamed up with academics at Georgia Tech Information Security Center and security experts at PandaLabs and law enforcement to form the Mariposa Working Group in order to eradicate the botnet and bring the perpetrators to justice. The Mariposa Working Group infiltrated the command-and-control structure of Mariposa to monitor the communication channels that relayed information from compromised systems back to the hackers who run the botnet. Analysis of the command system laid the groundwork for the December 2009 shutdown of the botnet, as well as shedding light on how the malware operated and provided a snapshot of the current state of the underground economy. Mariposa (Spanish for butterfly) bonnet malware spread via P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, exposed machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of compromised systems. The botmasters made money by selling parts of the botnet to other cybercrooks, installing pay-per-install toolbars, selling stolen credentials for online services and laundering stolen bank login credentials and credit card details via an international network of money mules. Search engine manipulation and serving pop-up ads was also part of the illegal business model behind the bonnet... when the December shutdown operation happened, the gang’s leader, alias Netkairo, panicked in his efforts to regain control of the botnet. Netkairo made the fatal error of connecting directly from his home computer instead of using the VPN, leaving a trail of digital fingerprints that led to a series of arrests two months later. A blog post by Panda Software* explains what happened next..."
* http://pandalabs.pandasecurity.com/mariposa-botnet/
03/3/10 - "In May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record... Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions. Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history. On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010. Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries..."

- http://blogs.technet.com/mmpc/archive/2010/03/04/in-focus-mariposa-botnet.aspx
March 04, 2010

- http://blog.trendmicro.com/mariposa-botnet-perpetrators-captured/
March 04, 2010

Mariposa stats
- http://pandalabs.pandasecurity.com/mariposa-stats/


2010-03-06, 18:20

Wiseguys botnet...
- http://www.avertlabs.com/research/blog/index.php/2010/03/05/wiseguys-botnet-first-in-line-for-concert-sports-tickets
March 5, 2010 - "... This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices. According to the indictment*, the distributed software was developed by some programmer accomplices in Bulgaria... Unlike botnets we frequently encounter, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million. The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet:
• Monitored the online ticket vendors’ websites for the exact moment that tickets to popular events went on sale
• Opened thousands of connections at the instant that tickets went on sale
• Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), thus speeding ahead of legitimate buyers
• Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets almost instantly
• Filled in all the fields necessary to complete the purchases, including customer credit card information and false e-mail addresses..."
* http://media.nj.com/ledgerupdates_impact/other/Wiseguys%20Indictment%20-%20Filed.pdf


2010-03-11, 13:17

Zeus botnet C&C - partial takedown
- http://www.theregister.co.uk/2010/03/10/massive_zeus_takedown/
10 March 2010 - "At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations. The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known as Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus. Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses. The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP's customers, law-abiding or otherwise, were immediately unable to connect to the outside world..."

- http://www.krebsonsecurity.com/2010/03/dozens-of-zeus-botnets-knocked-offline/
March 10, 2010 - "... Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet..."

- http://www.abuse.ch/?p=2417
March 11, 2010 - "... now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia..."
*** UPDATE 2010-03-11 21:30 (UTC) - "Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increased from 149 -up- to 191..."
*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline)...
- http://www.google.com/safebrowsing/diagnostic?site=AS:25189

- http://stopbadware.org/reports/asn/25189
- http://stopbadware.org/reports/asn/8342

- http://www.google.com/safebrowsing/diagnostic?site=AS:8342
"... 1229 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2010-03-12... 52 site(s) on this network... appeared to function as intermediaries for the infection of 199 other site(s)... 78 site(s)... that infected 1594 other site(s)..."

- http://www.cio.com/article/572813/After_Takedown_Botnet_Linked_ISP_Troyak_Resurfaces


2010-03-22, 20:52

Pushdo cracks captchas at MS Hotmail/Live.com/MSN webmail
- http://blog.webroot.com/2010/03/22/pushu-variant-spams-hotmail-cracks-audio-captchas/
March 22, 2010 - "A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft’s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages. The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It’s spamming through the Hotmail/Live.com Web mail interface... during the course of the spam sessions, the spy apparently pulls down “audio captchas” and successfully sends back the correct response, which permits it to continue spamming... The spam emails themselves are short, written by someone who doesn’t have a strong grasp of English grammar..."

(Screenshots available at the URL above.)


2010-04-01, 09:38

TT-Bot DDoS Bot Analysis
- http://asert.arbornetworks.com/2010/04/tt-bot-ddos-bot-analysis/
April 1, 2010 - "We recently spotted this family in our malware zoo, another HTTP DDoS bot. This one’s identifying mark is the string “User-Agent: TT-Bot 1.0.0″ in the client requests. We do not know if this is a kit, this one appears to be in limited use. We have not explored the server-side of it... Static analysis suggests that the code is written in MS VB 6... At this time this botnet is still live and issuing commands. We do not know how big this botnet is."

ZeuS banking trojan botnet
- http://www.secureworks.com/research/threats/zeus/
March 11, 2010 - "... ZeuS is a well-known banking Trojan horse program, also known as crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored... ZeuS has evolved over time and includes a full arsenal of information stealing capabilities... observed other ZeuS databases for sale on various underground black markets. Their size is typically over 10GB, which is a botnet of approximately 23,000 infected computers (bots)... "

BlackEnergy botnet
- http://www.forbes.com/2010/03/03/cybercrime-black-energy-technology-security10-banks_print.html
03.03.10 - "... Secureworks issued a report describing a new cybercriminal group that aims a one-two punch at banks. First it collects banking customers' passwords using a variation of the so-called BlackEnergy software, which has infected thousands of computers worldwide to create a "botnet" of hijacked machines. The machines use the collected passwords to move funds into the hackers' accounts, and then typically delete files from the user's computer to cover their tracks. But what follows that fraud is an unlikely step: a cyberattack known as a "distributed denial-of-service," using a flood of data requests from the infected computers to take down the company's online banking service. "The same botnet that's being used to steal money from banks is launching these denial-of-service attacks on them," says Secureworks* researcher Joe Stewart..."
* http://www.secureworks.com/research/threats/blackenergy2/
March 3, 2010 - "BlackEnergy, a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used in the cyber attacks launched against the country of Georgia in the Russia/Georgia conflict. BlackEnergy was authored by a Russian hacker. A comprehensive analysis* of the version of BlackEnergy circulating at the time was done in 2007 by Arbor Networks... There is no distinct antivirus trojan family name that corresponds to the BE2 dropper or rootkit driver. Antivirus engines that detect it either label it with a generic name, or as another trojan - most often it is mis-identified as "Rustock.E", another rootkit trojan from a different malware family. The BlackEnergy rootkit does share some techniques in common with the Rustock rootkit..."
* http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
"... HTTP-based botnet used primarily for DDoS attacks..."

- http://blogs.forbes.com/firewall/2010/03/30/its-all-just-malware-now/
March 30, 2010


2010-04-23, 14:38

Koobface spreads on Facebook and Twitter
- http://www.theregister.co.uk/2010/04/23/koobface_takedown/
23 April 2010 - "Security experts in Hong Kong last week succeeded in taking down a key component of the Koobface botnet, only to witness the system popping up in China. The Koobface FTP grabber component uploaded stolen FTP user names and passwords to the remote server, which was under the control of cybercrooks... In response, the Koobface gang moved their server to a hosting firm in China. Last month the command and control servers associated with Koobface underwent a complete refresh... Koobface spreads via messages on social networking sites like Facebook and Twitter. Cybercrooks behind the sophisticated malware make their money by distributing scareware packages onto compromised machines, and by other cyberscams, including information harvesting. The worm gets less press than the malware associated with the Google China attacks or the high-profile Conficker worm, though experts consider it both more sophisticated and a bigger security threat..."
* http://blog.trendmicro.com/koobface-ip-taken-down-gang-transfers-hosting-to-china/


2010-04-27, 07:12

New ZeuS variants
- http://blog.trendmicro.com/at-a-glance-new-zeus-variants/
Apr. 26, 2010 - "... Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses continues to thwart both antivirus and other security solutions as well as the efforts made by the security industry. This time, the malware upholds it notorious reputation with a new version related to previous detections TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ. ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites. They have rapidly become popular tools for cybercriminals to use, thanks to exceptional information-stealing routines and rootkit capabilities, which allows them to stay stealthy and to affect users’ systems without their knowledge. Current ZBOT variants use fixed file names (both for their executable and component files). The file names may vary from one ZBOT version but they are recognized by security analysts. This is not the case for the new ZBOT variants seen above. Instead of using prespecified names, both TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ use random names for the files and directories they create. In addition, ZBOT now injects its code into the Explorer process, something that previous variants did not do. Both of these attempts by cybercriminals to lessen the profile of ZBOT are in response to the malware family’s notoriety, which means that ZBOT malware are now becoming somewhat easier to detect. The under-the-hood changes to the ZBOT variants are, if anything, more significant. These new ZBOT variants inject themselves into the following processes:
* ctfmon.exe
* explorer.exe
* rdpclip.exe
* taskeng.exe <<
* taskhost.exe <<
* wscntfy.exe
From this list, we can see that the new ZBOT version now “features” support for both Windows Vista and Windows 7. Taskeng.exe and Taskhost.exe are processes both found in Windows Vista and Windows 7 though neither were found in older versions such as Windows XP..."


2010-04-28, 05:04

ZeuS/ZBOT tries out file infection
- http://blog.trendmicro.com/zeuszbot-tries-out-file-infection/
Apr. 27, 2010 - "ZeuS/ZBOT is best known for its information-stealing routines via the use of configuration files downloaded from their home sites... Cybercriminals have thus tried utilizing drive-by downloads, spammed messages, worm propagation, and many more ways. This time, they are trying out file infection. The malware detected by Trend Micro as PE_ZBOT.A injects code into target files and modifies its entry point to redirect to its code. This allows the malware to run its code whenever the infected file is executed. It then attempts to connect to the remote sites from which it downloads and executes malicious files that allow it to steal information from an affected system. The downloaded files are detected as TROJ_KRAP.SMDA and TSPY_ZBOT.SMAP. Once it completes its routine, it returns control of the affected system to its host file. This only shows that cybercriminals are continuously finding new ways to make sure they do not go out of business. The best way to protect one’s system is to be aware of the many techniques cybercriminals use and to keep security solutions and other pertinent applications patched and up-to-date."


2010-04-28, 14:12

Storm botnet 2.0...
- http://www.theregister.co.uk/2010/04/27/storm_botnet_returns/
27 April 2010 - "After blowing itself out 18 months ago, the notorious Storm botnet is back, researchers from CA said Tuesday. Storm - once responsible for churning out 20 percent of the world's spam - started to peter out in September 2007, when Microsoft targeted it through the Malicious Software Removal Tool. Some 274,372 demonized PCs were exorcised during the first month alone... CA has identified three varients of Storm that at time of writing were detected by 26, 25 and 24 of the top 41 anti-virus products. CA's writeup is here*."
- http://www.virustotal.com/analisis/91dba12a82c6a4c5c5786c0753aaaacc2da9f3d8e7f11db2de4602a9db35220a-1272369992
File asam.exe received on 2010.04.27 12:06:32 (UTC)
Result: 26/40 (65.00%)
- http://www.virustotal.com/analisis/9959307728e3474b20a023af358013be9f536ad230617dd717319e7c7feb2a44-1271938070
File asam.exe.000 received on 2010.04.22 12:07:50 (UTC)
Result: 25/40 (62.50%)
- http://www.virustotal.com/analisis/0a6a666932379aa1a5004ea57142508a2082ed7a32cf490ebba053c5bc64737d-1272328532
File asam.exe received on 2010.04.27 00:35:32 (UTC)
Result: 24/40 (60.00%)

* http://community.ca.com/blogs/securityadvisor/archive/2010/04/26/the-come-back-of-storm-worm.aspx
April 26 2010 - "... beware of these kind of spam emails... spam-generating campaign distributes the following:
* Bogus Online Pharmacy Spam Emails
* Impotency related Spam Emails
* Adult Dating Spam Emails
* Celebrity Scandals Spam Emails..."

- http://krebsonsecurity.com/2010/04/infamous-storm-worm-stages-a-comeback/
April 28, 2010

- http://sunbeltblog.blogspot.com/2010/04/storm-botnet-its-ba-a-a-ck.html
April 28, 2010 - "... the new botware uses the same configuration file (C:\WINDOWS\herjek.config) as Storm... new version, however uses an HTTP-based command-and-control channel instead of peer-to-peer..."


2010-05-04, 14:24

Botnets battle for digital real estate
- http://www.fortinet.com/press_releases/100503.html
May 3, 2010 - "... April 2010 Threatscape report* showed high activity from multiple botnets, namely Gumblar and Sasfis. While Gumblar remained in the No. 1 position in Fortinet's Top 10 Network Attacks list, the Sasfis botnet ranking was bolstered by two of its executables prevalent in Fortinet's Antivirus Top 10 listing. Like Bredolab, Sasfis is a botnet loader that reports statistics and retrieves/executes files upon check-in. However, Sasfis differs since it is newer and does not employ encryption (all communications are sent through HTTP unencrypted). Nonetheless, Sasfis continues to spread aggressively and typically loads banking trojans among other malicious files... Additional key threat activities for the month of April include:
• Microsoft vulnerabilities...
• Adobe Acrobat vulnerabilities...
• Ransomware and Scareware still top virus detection...
• Cutwail spambot leveraged for money mule recruitment..."

* http://www.fortiguard.com/report/roundup_april_2010.html


2010-05-05, 19:33

ISS - aftermath of doc.pdf, statistics, payload, and spam
- http://blogs.iss.net/archive/aftermathofdocpdf.html
May 03, 2010 - "It looks like the onslaught of spam email containing doc.pdf is mostly behind us... At the peak of the attacks, we received 85,000+ alerts in a single day, even if the attacker was successful at a 10% rate of infection that’s easily 8500 infections. This is not even considering the amount of these attacks worldwide which would be assumed in the millions... The SPAM email was sent from various SMTP servers globally, which appears to be originating from a botnet, looking to expand its troops... yet another potentially huge Zeus/Zbot botnet was created or expanded all through spam email. Zeus is a force to be reckoned with its expanding and updated code base into version 2.0. Zeus version 2.0 has new infection measures, new encryption, windows 7 support and a long list of new features. The evolving threat is not going away anytime soon, so we must all remain vigilant in protecting our networks."


2010-05-07, 18:25

SPAM botnet activity - last week
- http://www.m86security.com/labs/i/Canadian-Pharmacy-no-Longer-King,trace.1316~.asp
May 5, 2010 - "... Other than Mega-D and Maazben which exclusively spam out links to Canadian Pharmacy and Casino websites respectively, the top spam botnets promote a range of brands. This could either be because the botnet controllers belong to multiple affiliate programs or because they rent out spamming capacity to different people who are affiliates trying to promote their chosen brand... top six affiliate brands, promoted in 90 percent of spam in the last week, was sent by the top spam botnets. Some of the botnets involved in sending this stuff have a huge amount of spamming capacity, like Rustock which is currently sending around 40 percent of the spam we see. As such, botnet operators have the ability to greatly influence the market shares of affiliate programs simply by changing their spam templates..."

(Charted/available at the URL above.)


2010-05-11, 18:06

Zbot/ZeuS - cybercriminals on the offensive
- http://www.securelist.com/en/analysis/204792115/Crimeware_A_new_round_of_confrontation_begins#2
29 Apr 2010 Kaspersky Lab - "... More and more frequently these days, we hear about successful attacks perpetrated by the cybercriminals against the clients of financial organizations... One recent classic example comes from the Zbot-toolkit family, which is also known as ZeuS... widespread geographic diversity ensures the longevity of the botnet. As recent practice has shown, the botnet cannot be destroyed by merely closing down a few of the hosting sites. On 9 March... ZeuS Tracker noticed an abrupt decrease in the number of control centers and saw that it correlated with the disconnection of an Internet Service Provider by the name of Troyak... Troyak found a new teleservices provider and by 13 March the number of control centers had increased to more than 700 again... These botnets act as greenhouses for the propagation of financial malware. It is with this kind of malware that the cybercriminals steal users’ money most readily, and they are constantly finding new victims. The numbers clearly show an increase in the quantity of malicious programs targeting the clients of banks and other financial organizations over the past few years... Without state support very little will ever be accomplished in the fight against cybercrime. The problem will remain unresolved until such times that effective and efficient mechanisms exist for the necessary communication and interaction to take place between the relevant authorities."

(More detail and graphs available at the URL above.)


2010-05-14, 14:37

Avalanche botnet - TROYAK-AS connection...
- http://ddanchev.blogspot.com/2010/05/avalanche-botnet-and-troyak-as.html
May 13, 2010 - "According to the latest APWG Global Phishing Survey*:
'... by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and "crimeware" - malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts. Avalanche was responsible for two-thirds (66%) of all phishing attacks launched in the second half of 2009...'
The Avalanche botnet's ecosystem is described by PhishLabs** as:
'Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams. The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information...'
One of the most notable facts about the botnet, is their persistent interaction with the TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their ZeuS C&Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on each and every of their phishing pages..."
* http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf
** http://www.phishlabs.com/blog/ - http://www.phishlabs.com/blog/archives/176

(More detail and info available at the //ddanchev URL above.)

- http://www.theregister.co.uk/2010/05/13/avalanche_phishing_attacks/
13 May 2010

- http://sunbeltblog.blogspot.com/2010/05/apwg-report-one-gang-did-two-thirds-of.html
May 14, 2010


2010-06-07, 14:09

Asprox Spambot resurrects
- http://www.m86security.com/labs/i/The-Asprox-Spambot-Resurrects,trace.1345~.asp
June 5, 2010 - "... on the first day of June, the spamming resumed - this time focused on pharmaceutical campaigns. With the help of Pushdo and Bredolab downloader, it seems Asprox has risen from the dead to build another spamming bot network... analysis also highlights the intricate relationships between individual malware components, and hint at a common gang behind it all."

(Screenshots and more detail available at the URL above.)


2010-06-18, 20:47

SSH brute force attempts on the rise again...
- http://isc.sans.edu/diary.html?storyid=9031
Last Updated: 2010-06-18 12:32:51 UTC - "SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next...
Reader xemaps wrote in with this log snippet:
"Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user."
Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x
Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x
Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x
Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x
Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x
Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x
Reader Ingvar wrote in with a similar pattern:
"On my home system I have seen these login attempts that start with user "aaa" and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day."
Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x
Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x
Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x
Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x
Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x
Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x

Last year ISC Handler Rick wrote up a diary* for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:
• Deploy the SSH server on a port other than 22/TCP
• Deploy one of the SSH brute force prevention tools
• Disallow remote root logins
• Set PasswordAuthentication to "no" and use keys
• If you must use passwords, ensure that they are all complex
• Use AllowGroups to limit access to a specific group of users
• Use as a chroot jail for SSH if possible
• Limit the IP ranges that can connect to SSH ..."

* http://isc.sans.edu/diary.html?storyid=7369

- http://isc.sans.edu/port.html?port=22

- http://isc.sans.edu/diary.html?storyid=9034
Last Updated: 2010-06-18 17:05:49 UTC


2010-06-24, 14:45

(More) Asprox SQL injection attacks
- http://www.m86security.com/labs/i/Another-round-of-Asprox-SQL-injection-attacks,trace.1366~.asp
June 23, 2010 - "... we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks. As of this writing, there are three fast-flux domains that the bot attempts to contact.
These domains resolve to Asprox's control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites. When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks... The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search more potential targets... So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection..."


2010-06-29, 13:12

Botnet has offspring...
- http://www.theregister.co.uk/2010/06/29/kraken_botnet_resurgence/
29 June 2010 - "The Kraken botnet, believed by many to be the single biggest zombie network until it was dismantled last year, is staging a comeback that has claimed almost 320,000 PCs, a security researcher said. Since April, this son-of-Kraken botnet has infected an estimated 318,058 machines - about half as big as the original Kraken was at its height in the middle of 2008, according to Paul Royal, a research scientist at the Georgia Tech Information Security Center. Like its predecessor, the new botnet is a prodigious generator of spam, with a single machine with average bandwidth able to send more than 600,000 junk mails per hour... To evade detection, they use as many as 1,200 unique malware variants. One widely used strain was flagged by just 50 per cent of AV last week, according to this VirusTotal analysis*... The latest Kraken uses domain names offered by dynamic DNS services to corral its bots into command and control channels. Because the addresses are extensions of legitimate domain names, it prevents them from being shut down by registrars..."
* http://www.virustotal.com/analisis/027bfe4653c7c017aba7b1327de63175808e324ff3a3c7070c9536b52931337c-1277172595
File 07d2421a836b3e943d75917a69bd98ae received on 2010.06.22 02:09:55 (UTC)
Result: 21/41 (51.22%)


2010-07-03, 16:09

Zeus trojan regionally-targeted...
- http://www.theregister.co.uk/2010/07/01/regional_trojan_threat/
1 July 2010 - "Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences. Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud. Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US. The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems..."

More Zeus...
- http://blog.trendmicro.com/zeuszbot-targets-russian-banks/
July 5, 2010 - "... this specific sample targeted several banks around the globe, including Russian banks... This ZeuS/ZBOT sample also targeted banks found in Germany, the United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia, Ireland, the United Arab Emirates, Turkey, and New Zealand..."


2010-07-06, 21:36

Botnet size and Lies, Damn Lies...
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100705
July 05, 2010 - "... If one looks at the targets of online crime, it's hard to draw trends but we can make a few educated guesses. In general, they're targets of opportunity. These days, large companies and financial institutions are actually a reasonably high bar for your average online criminal. Reading reports by Brian Krebs*, the majority of known and reported business victims of online theft are on the smaller side. There's two reasons for this:
1) they tend not to view information security as a high priority, thus making them easier targets and
2) there's more of them and they simply get caught up in widespread mass campaigns.
Don't get caught up in "which is the biggest botnet". Worry about how the botnet is being used. Worry that it's being used to steal money from mom and pop companies who don't stand a chance."

(Charts and more detail available at the Shadowserver URL above.)

* http://krebsonsecurity.com/category/smallbizvictims/


2010-07-08, 13:32

GootKit - site infections
- http://www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp
June 30, 2010 - "... attackers do not infect hundreds of web pages by hand, they use a script or a botnet to do the work for them. Some examples of this are Asprox and Gumblar, which are known for doing mass web site infections, Asprox via SQL injection and Gumblar by using stolen FTP credentials. One other such bot is known as GootKit. We came across this bot when in was installed on one of our test machines by a malicious downloader, along with a host of other malware. Most of Gootkit’s functions are implemented in scripts that are downloaded as tasks from a control server... We are unsure exactly how the control server obtained all of the FTP credentials, but most often these are stolen via keyloggers and information stealing malware installed on a website administrators PC. Gootkit is another example that highlights the highly automated systems that attackers are using to infect web pages en masse. These systems are underpinned and driven by botnets, which give the scalability and anonymity that the cybercriminals desire."


2010-07-13, 12:51

Zeus v3 in the wild...
- http://www.theregister.co.uk/2010/07/13/zeus_goes_local/
13 July 2010 - "Hackers have created a new version of the Zeus crimeware toolkit that's designed to swipe bank login details of Spanish, German, UK and US banks. The malware payload, described by CA as Zeus version 3, is far more selective in the banks it targets. Previous versions targeted financial institutions around the world while the latest variant comes in two flavours: one that only target banks in Spain and Germany, and a second that only targets financial institutions in the UK and US. In addition the latest version of Zeus contains features that makes it far harder for security researchers to figure out what the malware is doing. Zombie drones on the Zeus botnet operate on a need to know basis, CA explains*... Command and control systems associated with the bot are "mostly hosted in Russia", according to CA..."
* http://community.ca.com/blogs/securityadvisor/archive/2010/07/12/zeus-version-3-target-spain-germany-uk-and-usa-banks.aspx


2010-08-03, 10:19

Mumba botnet campaign
- http://www.theinquirer.net/inquirer/news/1725904/cybercrimals-thousands-mumba-botnet
Aug 02 2010 - "... the Mumba botnet malware has infected 55,000 PCs around the world. Apparently the botnet has been responsible for stealing up to 60GB of personal data. The compromised data includes bank account details and credit card numbers. The US has suffered the lion's share of the hack with 33 per cent of infected systems, Germany comes in second with 17 per cent, Spain has 7 per cent and the UK 6 per cent while Mexico and Canada each have 5 per cent... the hackers specifically targeted the US in the malware attacks, possibly because it's a bigger target. The Mumba botnet was developed by the Avalanche Group to maximise the number of malware attacks and it uses the latest version of Zeus...."

- http://www.theregister.co.uk/2010/08/02/mumba_botnet_infiltrated/
2 August 2010


2010-08-04, 15:34

Zeus2 botnet takedown in UK...
- http://www.theregister.co.uk/2010/08/04/zeus2_botnet_pwns_brit_pcs/
4 August 2010 - "Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers. Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data - including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks - from compromised Windows systems. Trusteer researchers identified the botnet's drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police... The original attack was probably seeded by a combination of infected email attachments and drive-by downloads, according to Amit Klein, Trusteer's chief technology officer. The Windows-based malware used to control zombie clients was a variant of the infamous Zeus cybercrime toolkit, a customisable Trojan keylogger and botnet-control client sold through underground forums that's become the sawn-off shotgun of the cybercrime economy over recent years..."
- http://www.trusteer.com/company/trusteer-in-the-news/2010


2010-08-06, 14:47

Conficker -still- 6 million strong...
- http://www.theregister.co.uk/2010/08/05/conficker_analysis/
5 August 2010 - "The unknown crooks behind the infamous Conficker worm may be quietly selling off parts of the huge botnet established by the malware, but virus fighters have no way of knowing because the cryptographic defences of its command and control network have proved uncrackable... The Conficker Working Group* constantly monitors the IP addresses of infected machines as they check into sink holes. Many enterprises associated with infections drop off the radar only to return days or weeks later, probably as the result of the application of infected backups that have not been purged of malware. Utilities such as Microsoft's Malicious Software Removal Tool, effective in cleaning up other infections, have proved ineffective against Conficker because software security updates get disabled on compromised machines..."
* http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infection_test/cfeyechart.html


2010-08-11, 19:46

Zeus botnet raid on UK bank accounts...
- http://sunbeltblog.blogspot.com/2010/08/security-lessons-in-zeus-botnet-raid-on.html
August 11, 2010 - "The well-read UK security news site The Register is carrying a story detailing how the operators of the Zeus botnet planted their sophisticated malware on thousands of UK bank customers’ computers, stole log-in information then raided the accounts for more than $1 million with the help of money mules. Bradley Anstis, vice president of technical strategy for M86 Security, which discovered the attack several weeks ago, told The Register that his company is providing information to the bank involved as well as law enforcement officials. He said the M86 identified the botnet a command and control server - hosted in Moldova - and downloaded log files from it. “It also found that the exploit pack used to seed the attack had claimed a much larger number of victims - as many as 300,000 machines. The vast majority were Windows boxes, but 4,000 Mac machines were also hit. The logs also revealed that 3,000 online banking accounts had been victimised between 5 July and 4 August alone,” The Register* said..."
* http://www.theregister.co.uk/2010/08/11/zeus_cyberscam_analysis/

- http://www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp
August 10, 2010 - "... new Zeus v3 Trojan"

- http://www.m86security.com/labs/i/Statement-About-Infection-of-Macs-by-ZeuS,trace.1433~.asp
Last Reviewed: August 13, 2010 - "... to clarify our recent paper does -not- report on any ZeuS infections of computers running the Mac OS."


2010-08-13, 12:31

Botnet floods net with SSH attacks
- http://www.theregister.co.uk/2010/08/12/server_based_botnet/
Updated - 12 August 2010 - "A server-based botnet that preys on insecure websites is flooding the net with attacks that attempt to guess the login credentials for secure shells protecting Linux boxes, routers, and other network devices. According to multiple security blogs, the bot compromises websites running outdated versions of phpMyAdmin. By exploiting a vulnerability patched in April*, the bot installs a file called dd_ssh, which trawls the net for devices protected by the SSH protocol... In addition to posing a threat to unpatched websites and SSH-protected devices, the attacks are also creating headaches for large numbers of non-vulnerable sites... this SANS Diary post** reports having success in warding off the attacks with DenyHosts***, an open source script that pools IP blacklists from more than 70,000 users. A better countermeasure still is to configure SSH devices to use a cryptographic key, something that is orders of magnitude harder to brute-force than a simple password..."

* http://www.debian.org/security/2010/dsa-2034

** http://isc.sans.edu/diary.html?storyid=9370
Last Updated: 2010-08-12 09:31:57 UTC ...(Version: 5)

*** http://denyhosts.sourceforge.net/

- http://www.theregister.co.uk/2010/08/13/waledac_zombie_attacks_return/
Posted in Spam, 13 August 2010 - "Updated Update: Trend Labs has reclassified the malware as a Bredolab variant instead of Waledac. That means the central premise of out original story - that Waladec - is back from the grave - is wrong...
Attacks designed to draft new recruits into the infamous Waledac spambot network are back from the dead, months after the zombie network was effectively decapitated... The Microsoft-led operation was rightly hailed as a big success but did nothing to clean up an estimated 90,000 infected bot clients even though it stemmed the tide of spam from these machines. Left without spam templates or instructions, these machines have remained dormant for months. However, over recent weeks, the botnet is making a comeback of sorts. Spammed messages containing malicious attachment harbouring Waladec agents and disguised as tax invoices or job offers and the like have begun appearing, Trend Micro warns*. The same run of spam messages is also being used to spread fake anti-virus and other scams unrelated to Waledac, and there's no sign that a new command and control structure, much less a fresh round of spamming, has begun..."
* http://blog.trendmicro.com/waledac-still-spreading-via-malicious-attachments
UPDATE: Following deeper analysis of this threat by senior threat researchers, TrendLabs has reclassified the malware used in this attack as a BREDOLAB variant (detected as TROJ_BREDOLAB.JA) instead of WALEDAC. An unfortunate combination of human and machine errors led to the mislabeling of this threat as WALEDAC. Apologies for the confusion...
Aug. 12, 2010 - "... In the past few weeks, there has been something of an increase in the number of spammed messages delivering malicious attachments to users..."


2010-08-23, 12:03

Pushdo botnet pushing SPAM w/malware
- http://www.m86security.com/labs/i/Malicious-Spam-on-the-Increase,trace.1486~.asp
Last Reviewed: August 18, 2010 - "... We are currently seeing increased levels of spam-borne malware. Our figures over the last three months show an increasing trend in the proportion of malicious spam. In the week ending 8 August, this figure spiked to over 6% of spam, or in other words, 6 out of every 100 spam messages... The vast majority of it can be traced back to one spam botnet family – Pushdo (or Cutwail). This botnet is a prolific and multi-faceted spammer, and has historically been very active in malicious spam campaigns. Every day we observe it spamming out emails with malicious attachments, or, less often, with URL links to malicious web pages... The actual malware also changes often. Depending on the anti-virus vendor, many different names are assigned to these downloaders, including Bredolab, Oficla, and Sasfis to name just a few. In a sense, the name is unimportant. The job of the downloader is to reach out to the web to download and install more malware. Most commonly, we see fake AV, spambots and data stealers like Zbot being downloaded and installed in this second stage of infection... The gang behind Pushdo have this system down to a fine art. Our guess is that they are affiliated to one or more pay-per-install schemes, where they get rewarded for each successful install of the different types of malware they spread around."

(Screenshots and more detail available at the URL above.)


2010-08-28, 11:57

Pushdo Botnet crippled
- http://labs.m86security.com/2010/08/pushdo-spambot-crippled/
August 27, 2010 - "This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble... It turns out that the folks at TLLOD* have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog*, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data... this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about."
* http://blog.tllod.com/2010/08/26/insights-into-the-pushdocutwail-infrastructure/

Pushdo Spam volume graphic
- http://labs.m86security.com/wp-content/uploads/2010/08/pushdo_stats.png

Pushdo Botnet Crippled – II
- http://labs.m86security.com/2010/09/pushdo-botnet-crippled-ii/
September 9th, 2010

- http://www.m86security.com/labs/spam_statistics.asp
Statistics for Week ending September 12, 2010


2010-09-09, 12:29

Waledac and Operation b49 update...
- http://blogs.technet.com/b/mmpc/archive/2010/09/08/an-update-on-operation-b49-and-waledac.aspx
8 Sep 2010 - "... Microsoft’s Digital Crimes Unit, in partnership with Microsoft’s Trustworthy Computing team and the Microsoft Malware Protection Center, undertook a combination of technical measures and previously untried legal techniques to disrupt and control the Waledac botnet. It was apparent from our own and from independent telemetry that the technical measures were successful, and today we are providing an update on the novel legal aspects of this approach. Our intent with this approach was to both disable the command and control infrastructure of the botnet so that new commands could not be issued to the computers which were still infected with the malware and to maintain that control in the long term while working within the law. To date, we have seen virtually no reemergence of Waledac traffic. This puts the Waledac takedown among a very few successful efforts to shut down a botnet without having it re-emerge... As you may have seen in USA Today* this morning, Judge Anderson has indicated that he recommends that the court grant our request and permanently transfer ownership of the 276 domains used for command and control of the Waledac botnet to Microsoft... Anyone who believes that they may be infected can find support and information and other resources (including no-cost tools to clean the computer) at http://support.microsoft.com/botnets ... Operation b49 is the first initiative in the larger Project MARS (Microsoft Active Response for Security)... more to come. You can read more about today’s news on the Official Microsoft Blog.**"
* http://www.usatoday.com/tech/news/2010-09-08-botnets08_ST_N.htm

** http://blogs.technet.com/b/microsoft_blog/archive/2010/09/08/r-i-p-waledac-undoing-the-damage-of-a-botnet.aspx

- http://support.microsoft.com/contactus/cu_sc_virsec_b49


2010-09-13, 23:29

Prolific DDoS Bot targeting many industries
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913
13 September 2010 - "... I've been watching a DDoS group that has been attacking a wide variety of victims in several different countries. This group uses the BlackEnergy botnet to carry out its attacks. The Command and Control servers are using the following domains:
* globdomain.ru
* greenter.ru ...
As of this post, globdomain.ru is on and greenter.ru is on While we don't wish to individually list all the DDoS victims, we do want to break it down by industry and country to give an idea of the breadth of the attacks. Since mid 2010, the DDoS attack victims were distributed among various industries including:
DDoS Industry Victims ...
DDoS Victim Countries ...
Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves."
(More detail at the Shadowserver URL above.)

- http://asert.arbornetworks.com/2010/09/critical-voices-ddosed-in-malaysia-and-elsewhere/
September 13th, 2010 - "... Black Energy botnets..."


2010-09-17, 21:57

SpyEye botnet kit...
- http://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/
September 17, 2010 - "Miscreants who control large groupings of hacked PCs or “botnets” are always looking for ways to better monetize their crime machines, and competition among rival bot developers is leading to devious innovations. The SpyEye botnet kit, for example, now not only allows botnet owners to automate the extraction of credit card and other financial data from infected systems, but it also can be configured to use those credentials to gin up bogus sales at online stores set up by the botmaster... All of the other software sales and distribution systems coded into the SpyEye bot kit are entities operated by Digital River..."


2010-09-24, 20:00

Botnet and Zeus activities - reduced
- http://hostexploit.com/blog/4-current-events/3517-demand-media-sees-off-botnet-and-zeus-activities.html
19 September 2010 - "... adverse publicity that followed HostExploit’s report naming Demand Media as #1 ‘Bad Host’ in the world. Swift action appears to have been taken as eNom - Demand Media’s domain Registrar arm - has shown signs of a dramatic reduction in the number of malicious activities hosted. HostExploit is pleased to report that in the past 7 days, well-known botnet command & control (C&C) servers present on eNom-hosted sites have finally been taken offline... We have been monitoring closely the past few weeks for signs of improvement in eNom’s hosting via our malicious host activity tracking tool, SiteVet, which quantifies badness levels into a "HE Index". We began to see signs of some malicious activity dropping off... In particular, C&Cs for the popular Zeus botnet fell to zero... having been as high as 23 in the preceding weeks... FIRE also shows a drop in C&Cs at around the same time..."

- http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
Sep. 22, 2010
- http://blog.trendmicro.com/new-azvhan-bot-family-revealed/
Sep. 24, 2010


2010-10-15, 12:15

Over 2 million botnet U.S. PCs cleaned ...
- http://news.cnet.com/8301-1009_3-20019602-83.html
October 14, 2010 - "More than 2 million PCs in the U.S., or 5.2 out of every 1,000, were recruited into botnets during the second quarter of 2010, according to a Microsoft report... The company's ninth and latest Security Intelligence Report* tracked the spread of botnets and malware infections detected and removed throughout the world during the first and second quarters of the year. The sheer number of infected PCs found and cleaned up by Microsoft (via MSRT) in the U.S. in the second quarter was the highest in the world. But the percentage of infected PCs was greater elsewhere... Among the botnets that plagued computer users during the second quarter, Win32/Rimecud was the most active, with almost 70 percent more detections than the next most common family of botnets. Rimecud was the main malware family responsible for the Mariposa botnet..."
* http://www.microsoft.com/security/sir/default.aspx

> http://www.microsoft.com/security/assets/images/_security/sir/story/fig_14.jpg


2010-10-22, 15:12

Botnet superhighway...
- http://blogs.technet.com/b/mmpc/archive/2010/10/21/the-botnet-superhighway.aspx
21 Oct 2010 - "... By Q2 of this year, one out of every three infected machines were part of a botnet. So, if you've been hit by any malware recently, there's a 33% chance that it was by a bot, or that a bot was installed on your machine in addition to that malware... Most bot families, including Win32/Alureon, Win32/Hamweq, and Win32/IRCbot, are capable of downloading and executing arbitrary files, which may be configured to be malware. Because the downloaded threat is distinct from the bot itself, removing the threat installed by the bot doesn't stop the damage, because the bot can simply install something new after the other threat was removed... In addition to installing other threats, botnets are known to spread malicious messages via, for example, email and Instant Messaging (IM), including spam and phishing. These messages may also contain a link to a website that hosts malware or that performs a drive-by download... because of their networked and often organized structure, they allow malicious and illegal activities to be performed at a scale that has not been seen before..."
* http://www.microsoft.com/security/sir/story/default.aspx#section_1


2010-10-26, 12:47

Bredolab botnet takedown...
- http://www.theregister.co.uk/2010/10/26/bredolab_botnet_takedown/
26 October 2010 - "Dutch police and net security organisations have teamed up to dismantle many of the command and control servers associated with the Bredolab botnet. The Bredolab Trojan, which has spyware components that allow criminals to capture bank login details and other sensitive information from compromised machines, has infected an estimated 30 million computers worldwide since its emergence in July 2009. Infected machines remain pox-ridden but the command system associated with the cybercrime network has been decapitated, following an operation led by hi-tech police in The Netherlands. The Dutch Forensic Institute NFI, net security firm GOVCERT.NL and the Dutch computer emergency response team assisted in the operation which involved the takedown of 143 servers associated with the botnet..."


2010-10-29, 14:15

Bredolab... undead
- http://www.theregister.co.uk/2010/10/29/bredolab_botnet_death_throes/
29 October 2010 - "... An operation led by the Dutch police led to the takedown of 143 command and control servers associated with the information-stealing botnet, estimated to have infected 30 million computers worldwide... Despite all this, at least two botnet command nodes remain active. The remaining infected nodes that dial into these nodes in Kazakhstan and Russia will be interacted to download a fake anti-virus package called Antivirusplus and distribute spam, respectively. Both domains remain active at the time of writing, although a third command and control node in Russia, which flickered alive earlier this week, appears to have gone inactive. A detailed blog post by net security firm FireEye* concludes that a portion of the Bredolab botnet remains active. It reckons a second group of bot herders are issuing new instructions through various domains to the remaining population of zombie drones in the Bredolab botnet. These cybercrooks are either using leaked copies of Bredolab code to build and maintain their own botnet or they are continuing to use portions of Bredolab that they had previously rented from the primary hacker..."
* http://blog.fireeye.com/research/2010/10/bredolab-severely-injured-but-not-dead.html


2010-10-29, 14:42

2Q-2010: Bot infection rates by country/region
- http://www.microsoft.com/security/portal/blog-images/SIR-Figure15-bot-heatmap.png
29 Oct 2010
- http://blogs.technet.com/b/mmpc/archive/2010/10/29/ccm-our-threat-indices-in-the-security-intelligence-report.aspx

Vecebot trojan analysis
- http://www.secureworks.com/research/threats/vecebot/
October 28, 2010 - "... Attack data from one of the victims shows the botnet created by Vecebot to be somewhere between 10,000 and 20,000 infected hosts. The distribution by country shows the significant portion of the botnet is comprised of computers within Vietnam* ... The current list of target URIs in the remote configuration file is:
vanganhnews.multiply.com/journal/item/{RND 500 550}
www.boxitvn.net/bai/{RND 10000 11000}
These sites are all blogs or forums that contain content critical of the Vietnamese Communist Party or recent developments concerning bauxite mining operations being carried out in the country by China... Whatever the circumstances surrounding the creation of Vecebot, it is clear that the purpose of the botnet is to silence critics of the Vietnamese political establishment where their voices might reach beyond the borders of Vietnam."
* http://www.secureworks.com/research/threats/vecebot/vecebot1.gif


2010-11-05, 19:22

Zeus 2.1 defeats MSRT...
- http://news.techworld.com/security/3247546/zeus-trojan-defeats-microsoft-security-tool/
5 November 10 - "... According to Trusteer, MSRT detected and removed Zeus version 2.0 about 46 percent of the time in its tests, but failed to spot updated versions which are now circulating... Depending on when the test was conducted, it is not surprising that the MSRT does not detect the latest Zeus variants. The software is updated only once per month, which limits its scope compared to rival tools... Trusteer also markets a rival anti-Zeus approach with its free Rapport plug-in*, which sets out to block it through the browser..."
* http://www.trusteer.com/webform/download-rapport


2010-11-13, 03:22

Koobface on Facebook - report
- http://krebsonsecurity.com/2010/11/pursuing-koobface-and-partnerka/
November 12, 2010 - "... detailed analysis (PDF)* of “Koobface,” a huge network of hacked computers that are compromised mostly by social engineering scams spread among users of Facebook.com (Koobface is an anagram of “Facebook”). As the report describes in great detail, the Koobface infrastructure is a crime machine fed by cyber criminal gangs tied to a variety of moneymaking schemes involving Web browser search hijacking and the installation of rogue anti-virus software. This report traces the trail of Koobface activity back through payments made to top criminal partners — known as Partnerka (PDF)** — a mix of private and semi-public affiliate groups that form to facilitate coordinated malware propagation... The report lists the nicknames of top Koobface affiliates, showing the earnings for each over the past year and the Web addresses of their associated affiliate programs***. This is the kind of intelligence that — if shared broadly — has the potential to massively disrupt large scale criminal operations, because cybercrime researchers can use it to make sense of seemingly disparate pieces of information about criminal actors and groups... efforts to disconnect the physical and network control infrastructure... against Koobface is in the works... Stay tuned."
* http://www.infowar-monitor.net/reports/iwm-koobface.pdf

** http://www.sophos.com/security/technical-papers/samosseiko-vb2009-paper.pdf

*** http://krebsonsecurity.com/wp-content/uploads/2010/11/koobaffiliates.jpg

**** http://www.mcafee.com/us/local_content/misc/threat_center/articles/summer2010/msj_article02_take_the_fight_to_the_enemy.pdf


2010-11-15, 13:57

Koobface take down...
- http://www.pcworld.com/businesscenter/article/210608/researchers_take_down_koobface_servers.html
Nov 13, 2010 - "Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet. Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline... Coreix took down the servers after researchers contacted U.K. law enforcement... The takedown will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers - typically Web servers that have had their FTP credentials compromised - that then -redirect- them to the now-downed command and control servers. Friday's takedown is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they've also tipped off Facebook and Google to hundreds of thousands of Koobface-operated accounts. The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn -redirect- them to Web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface. Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer... The gang's creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims' search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims' PCs. Almost exactly half of Koobface's income - just over $1 million - came from the fake antivirus software. The other half came from online advertising fees... They have identified 20,000 -fake- Facebook accounts; 500,000 -fake- Gmail and Blogspot accounts, and thousands of compromised FTP accounts used by the gang..."

- http://www.theregister.co.uk/2010/11/15/koobface_take_down/
15 November 2010


2010-11-16, 18:49

SpyEye - more than 270,000 infections
- http://labs.m86security.com/2010/11/changing-battlefield/
November 15, 2010 - "... A few months ago, the M86 Security Lab team discovered another SpyEye C&C server targeting one of the largest American banks. As part of the internal M86 disclosure policy, we contacted the bank to provide the detailed information we had discovered... In this particular case of malicious activity, the SpyEye Trojan’s “install base” included more than 270,000 infections. The bank eventually confirmed that more than 200 bank accounts had been compromised... Based on several recent cases, I can verify that the banks have begun to take this information much more seriously. First, they’ve educated themselves on banking Trojans - a refreshing change. Second, they are ready to co-operate and convey a willingness to further investigate the information provided. For example, the SpyEye case mentioned above, was a process that took less than a month with the bank. At the conclusion of the case, we received complementary information that was confirmed by the bank. Without the pretense for accurate statistics, the behavioral changes of the banks is significant, and is a result of the losses the banks suffered, and continue to suffer, as result of this new type of Banker Trojans activity. Success of Zeus and SpyEye have caused numerous copycats to appear, such as the new Bugat, Carberp, and latest Feodo Trojans. The war that the banks were engaged in at the birth of Cybercrime has become increasingly sophisticated. Given the new battle landscape, banks have begun to re-group their efforts in fighting back."

- http://www.mcafee.com/us/local_content/reports/q32010_threats_report_en.pdf
2010-Q3 report pg. 5 - "...we see on average about 6,000,000 new botnet infections per month..."


2010-11-25, 18:52

Kroxxu botnet infects 100K domains...
- http://www.avast.com/pr-avast-kroxxu-botnet-infects-100000-domains-without-a-money-trail
November 18, 2010 - "... During the last twelve months, avast! Virus Lab researchers have covered the steady growth and structure of the Kroxxu bot network, an innovative self-generating network of password-stealing malware. This extensive botnet has around 100 thousand infected domains and has likely infected more than 1 million users around the world... Kroxxu is focused exclusively on stealing FTP passwords. Unlike its predessor Gumblar and the traditional botnet, Kroxxu’s expansion is completely based on infected websites – not individual PCs. Stolen passwords enable Kroxxu’s owners add a simple script tag to the original website content, making it possible to upload and modify files on infected servers and spread the net to other servers around the globe. If stacked up in a layered pyramid structure, avast! Virus Lab estimates that the Kroxxu zombie network includes over 10,000 redirectors, 2,500 PHP redirectors, and an additional 700 plus malware distribution sites located worldwide, randomly connected and controlled from places hidden behind collectors. Redirection is central to Kroxxu’s ability to hide itself. The longest active connection found so far used 15 redirectors, passing the unsuspecting visitor through seven countries in three continents to the infectious exploits... 985 PHP redirectors and 336 malware distributors placed in the infected sites had survived more than three months without any attention from the side of the site owners or administrators. It seems that most administrators are ignoring or – more likely – absolutely unaware of the infection. Only the administrator or the owner of the hacked website is able to legally get rid of the infection..."
(More detail at the URL above.)


2010-12-06, 14:17

'Darkness' DDoS Bot
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205
December 05, 2010 - "... new DDoS bot that has been quite active over the past few weeks targeting a fairly large variety of websites... this is not the usual prolific BlackEnergy botnet, but a botnet called “Destination Darkness Outlaw System”(D.D.O.S), aka “Darkness”. As with BlackEnergy, “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does. This particular version of “Darkness” is using the domains greatfull-toolss .ru and greatfull .ru for its command and control (C&C)... a third domain, hellcomeback .ru, was also utilized but is no longer available now. Since November 12 of this year, we have seen over 100 different hosts targeted by 'greatfull .ru'. Initially, the botnet's attacks seem localized and against various MU Online gaming sites, but eventually, it was seen targeting more high profile sites in the financial, insurance, cosmetics, clothing, accessories, and gifts industries.
The C&C - greatfull .ru and greatfull-toolss .ru are currently being hosted on which is: AS49089 - UA-DC / Nikultsev Aleksandr Nikolaevich. AS49089 is a small provider that only seems to be announcing the /24 netblock ... It has a single upstream which is AS49211 - SAASUA-AS SAAS Technologies Ltd. The current AS path is seen as: AS4777 > AS2516* > AS174 > AS42590 > AS49211 > AS49089 ...
Additional Observations - The hellcomeback .ru domain was registered on 10/10/2010. The greatfull .ru and greatfull-toolss .ru domains were registered on 11/3/2010. Having a three-headed C&C domain structure for this DDoS bot enables it to remain functional despite a takedown of any single domain or provider. It also allows for some additional correlation of the botnet operator to forum posts, ads, registrations, etc... Shadowserver continues to track 'greatfull .ru' and other 'Darkness' DdoS bots. We are also notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."
(More detail and graphics available at the Shadowserver URL above.)

* http://www.google.com/safebrowsing/diagnostic?site=AS:2516

- http://www.google.com/safebrowsing/diagnostic?site=AS:174

- http://www.google.com/safebrowsing/diagnostic?site=AS:49089

- http://www.theregister.co.uk/2010/12/07/darkness_botnet/
7 December 2010


2010-12-24, 09:25

Bredolab botnet/trojan ...review
- http://labs.m86security.com/2010/12/bredolab-trojan-%E2%80%93-malware-review/
December 23, 2010 - "Two months ago the Authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan*. However, Bredolab Trojan is still spreading malware on user’s machines... Once the malware is executed, it copies itself to a temp folder and injects code into “svchost.exe” process. It then generates a key and sends basic information... The bot wraps up the data and sends it to the command and control server... Bredolab (unlike the Zeus Trojan) doesn’t have local configuration files pre-generated by the malware operator. The Trojan operates like a Trojan Dropper; it receives the malware, saves it on the hard disk or in the memory according to the Trojan operator, and then loads it... Once the malware is successfully installed on the victims’ machine, it becomes much more complicated for AV companies to detect any activity committed by Bredolab Trojan. Looking closely at the traffic sent from the server to the victim shows how the downloaded executable is encrypted in a unique way for -each- machine, rendering AV pattern detection useless... even though instances of Bredolab Trojan still can be found in the wild and used by cybercriminals, it is expected that it will gradually decrease over time*."
* http://www.securelist.com/en/analysis/204792152/End_of_the_Line_for_the_Bredolab_Botnet

:sad: :fear: :mad:

2010-12-31, 02:47

Botnet for the Holidays... Storm 3.0?
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230
30 December 2010 - "... we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years. However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0. There are no real version numbers of course, but we don't have anything else to call it yet. What's it involve you ask? Well here's the list of what we've seen so far:
• Large scale Spam campaigns sending out e-mails with links
• New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
• Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
• Links are also directly to new malicious domains
• Malicious domains hosting links to fake flash player and refreshes to exploit pages
• Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
• Malware that's been updated to look a bit more like legitimate than past variants
• A very buggy network that is not often available (upstream devices not available)
• Changing/Updated binaries ...
Below you'll find a list of subjects we've seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.
Greeting for you!
Greeting you with heartiest New Year wishes
Greetings to You
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Have a happy and colorful New Year!
l want to share Greeting with you (Shadowserver note: the first letter is an L)
New Year 2011 greetings for you
You have a greeting card
You have a New Year Greeting!
You have received a greetings card
You've got a Happy New Year Greeting Card!...
We have not done any analysis to see if there are actually any pieces of the code that were directly taken or updated from the Storm Worm or Waledac code. However, whether or not the code is the same or not, this appears to be the next generation of Storm Worm and Waledac. We are just saying it could be Storm Worm 3.0, at least until someone gives it a better name."

- http://www.shadowserver.org/wiki/uploads/Calendar/mail-honda.png

- http://www.shadowserver.org/wiki/uploads/Calendar/mail-flux.png

- http://www.shadowserver.org/wiki/uploads/Calendar/website.png

> http://atlas.arbor.net/summary/fastflux