View Full Version : Pandemic of the botnets 2011

2011-01-13, 15:27

Waledac wakes up...
- http://community.websense.com/blogs/securitylabs/archive/2011/01/13/waledac-wakes-up-after-7-days-of-sleep.aspx
13 Jan 2011 - "... On Tuesday morning a new variant* of Waledac was distributed to members of the botnet. Yesterday it started spamming again, but now it's back to sending pharmaceutical spam promoting "the magic blue pill" which we have seen previous versions of Waledac do in the past. As in previous spam campaigns, the spammers are using redirections via compromised legitimate sites... The new spam campaign doesn't redirect to malicious content, just to spam content but that could change at any point if the people behind Waledac decides to grow the botnet. We have seen hundreds of different subjects being used in this campaign, here are some examples:
Wonderful revealing effect on your libido.
I dream u to be vigorous, dive into u dream this too
The most excellent way to satisfy her
Your gf wants your organ to be the finest worker of the year!
Want to act like a xxxstar? Bang a blu-colored pill!
FDA-approved blue-blu-colored med to heal ED!
She needs YOU to grow your PENI!
Wish to surprise and gratify your lady tonight? ..."
* http://www.virustotal.com/file-scan/report.html?id=96413fc34ce94398f0e77db2823d76c257a274559da3c8e8daadcbe86ed2a45e-1294875643
File name: erobyxwugwaugj.exe
Submission date: 2011-01-12 23:40:43 (UTC)
Result: 13/42 (31.0%)
There is a more up-to-date report (21/42) for this file.
- http://www.virustotal.com/file-scan/report.html?id=96413fc34ce94398f0e77db2823d76c257a274559da3c8e8daadcbe86ed2a45e-1295079348
File name: 0aae4f7c578bf77f36d12bd353dd3e71
Submission date: 2011-01-15 08:15:48 (UTC)
Result: 21/42 (50.0%)

- http://www.symantec.com/connect/blogs/return-dead-waledacstorm-botnet-back-rise
12 Jan 2011

Distribution of the malware
> http://www.symantec.com/connect/sites/default/files/images/fig3.JPG

Waledac... [has stolen] almost 500,000 email passwords ...
- http://forums.spybot.info/showpost.php?p=395350&postcount=82
2 February 2011


2011-01-17, 05:47

DDoS botnet update - greenter.ru & globdomain.ru
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116
16 January 2011 - "On September 13, 2010, I posted a blog about a very active BlackEnergy DDoS botnet that was attacking a wide variety of victims.
Since that post, the Command and Control servers on the greenter.ru and globdomain.ru domains have directed DDoS attacks against approximately 170 different victims. Again, these attacks are across many different industries and target some rather high profile sites. As of 9/13/10, I've seen these controllers use the following hosting providers. The list indicates the date first seen on the provider, the IP address used, the AS number of the provider, and the country of the provider:
greenter.ru hosts
* 08/07/10 - - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
* 11/18/10 - - AS51306 - Tavria Host Network - Ukraine
* 11/30/10 - - AS44209 - FINACTIVE - Ukraine
* 1/7/10 - - AS52055 - ReliktBVK - Latvia
globdomain.ru hosts
* 08/07/10 - - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
* 11/23/10 - - AS51306 - Tavria Host Network - UA
* 11/30/10 - - AS44209 - FINACTIVE - UA
* 1/7/10 - - AS52055 - ReliktBVK - LV
As of this post, globdomain.ru is on and greenter.ru is on Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."

Darkness DDoS bot version identification guide
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110127
27 January 2011


2011-01-26, 16:05

Conficker Group... roadmap for stopping worm
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229100192
Jan. 25, 2011 - "... On Monday, the Rendon Group released a report*, funded by the Department of Homeland Security, rounding up the 15-person-strong working group's "lessons learned." The report highlighted the group's biggest achievement: "preventing the author of Conficker from gaining control of the botnet." Doing so, however, required coordinating with organizations in more than 100 countries to block the more than 50,000 domains per day generated by the Conficker C worm..."
* http://www.confickerworkinggroup.org/wiki/pmwiki.php/Calendar/20110124
Lessons Learned ...

THANK YOU ...Conficker Group :bigthumb:

2011-02-03, 15:52

SpyEye/ZeuS merger - revisited...
- http://krebsonsecurity.com/2011/02/revisiting-the-spyeyezeus-merger/
February 3, 2011 - "... Seculert*, a new threat alert service... includes some screen shots of the administrative panel of SpyZeuS that show the author trying to appeal to 'users' of both Trojans, by allowing 'customers' to control and update their botnets using either the traditional ZeuS or SpyEye Web interface... the author(s) has been adding new features to both the bot and the control panels nearly every day..."
* http://blog.seculert.com/2011/01/fresh-new-hydra-head.html

- http://www.pcworld.com/article/218585/next_generation_banking_malware_emerges_after_zeus.html
Feb 3, 2011

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229201215
Feb. 4, 2011
- http://www.trusteer.com/blog/zeus-continues-evolve-%E2%80%93-trusteer-tracking-its-progress
Feb. 3, 2011


2011-02-11, 14:01

Zbot detections - MSRT
- http://blogs.technet.com/b/mmpc/archive/2011/02/10/battling-the-zbot-threat-with-msrt.aspx
10 Feb 2011 - "... Zbot itself is continually evolving, having undergone many changes in the last year or so, ‘updates’ to the file-based obfuscation, anti-AV defensive techniques, information stealing capabilities, configuration file protection, API hooking, pseudo-random domain generation, process injection and file infection... we can show the telemetry we’ve gathered from the MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features... Of all the changes that Zbot has undergone however, the most significant from an MSRT perspective is the move towards file infection. Since its inception, Zbot has employed process injection targeting multiple processes on the system, the extent of which is governed by the privilege level of the user who unwittingly triggers the infection. (TIP: If you’re going to run an attachment you got from an email or a link, or via Facebook, don’t elevate it to admin via UAC.) In some newer variants of Zbot in the wild, for each infected process it will hook several Windows APIs, modify and infect binary files, and infect files shared in the network. One interesting behavior to note is that the infected process thread will continually monitor and infect other processes... In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs. The API that we are most interested in however is NtCreateFile(), which is invoked upon opening files... Zbot can infect both directly and upon opening files..."

Zbot detections - charted
- http://www.microsoft.com/security/portal/blog-images/zbotmsrt-1.png
Zbot code injection and hooking process
- http://www.microsoft.com/security/portal/blog-images/zbotmsrt-2.png

- http://www.darkreading.com/taxonomy/index/printarticle/id/229216691
Feb 10, 2011

- http://www.microsoft.com/security/sir/story/default.aspx#section_4_5_1


2011-02-15, 18:28

Top 10 botnets - 2010 ...
- http://www.securityweek.com/top-10-botnet-threat-report-2010-released-damballa
Feb 15, 2011 - "Damballa... today released its “Top 10 Botnet Threat Report - 2010”... At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of eight percent per week... Some highlights include:
• Of the Top 10 largest botnets in 2010, six of these botnets did not exist in 2009, and only one (Monkif) was present in the 2009 Top 10 largest botnets.
• The biggest botnet of 2010 (a botnet associated with the TDL Gang)... claiming nearly 15 percent of all unique infected victims in 2010.
• The Top 10 largest botnets in 2010 accounted for approximately 47 percent of all botnet compromised victims...
• ... more than 35 percent of unique IP addresses infected were simultaneously victims of two or more different botnet campaigns...
• ... rapid evolution of many popular botnet do-it-yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs.
• ... malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators).
• The last quarter of 2010 was heavily influenced by the rapid growth of botnets utilizing the TDL master-boot-record (MBR) rootkit technology...
The full report is available here* (Direct PDF Download)"
* http://www.damballa.com/downloads/r_pubs/Damballa_2010_Top_10_Botnets_Report.pdf

- http://www.secureworks.com/research/threats/spambot-evolution/
15 February 2011


2011-02-18, 06:24

Cybercrime costs UK $43B a year
- http://www.reuters.com/article/2011/02/17/us-britain-security-cyber-idUSTRE71G35320110217
Feb 17, 2011 - "Cyber crime costs the British economy some 27 billion pounds ($43.5 billion) a year and appears to be "endemic," according to the first official government estimate of the issue published on Thursday. The study by Britain's Office of Cyber Security and Information Assurance concluded digital crime is a growing, widespread problem, and attempts to address it have been hampered by a real lack of understanding and insight. Business is bearing the brunt of the costs at an estimated 21 billion pounds, with the pharmaceutical, biotech, IT, and chemical sectors the worst hit. However, government lost some 2.2 billion pounds and the cost to individual Britons amounted to 3.1 billion pounds, "The Cost of Cyber Crime" report* said. Last year, Britain's National Security Strategy placed cyber attacks as one of the top threats the country faces, along with terrorism, war and natural disasters... The report said 9.2 billion pounds was lost from intellectual property (IP) theft, 7.6 billion from industrial espionage and 2.2 billion from extortion, with large companies being targeted..."
* http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime


2011-02-22, 15:10

ZeuS attacks 2-factor...
- http://www.theregister.co.uk/2011/02/22/zeus_2_factor_authentication_attack/
22 February 2011 - "A variant of the ZeuS banking trojan is targeting mobile phone users who rely on their handsets to get enhanced, two-factor authentication from ING Bank Slaski in Poland... The ZeuS man-in-the-mobile attacks appear to similar to those that hit Spain in September, researchers from antivirus provider F-Secure said*. Both attacks attempt to steal so-called mTANs, short for mobile transaction authentication numbers, which an increasing number of European banks are using to provide enhanced authentication to online customers. Financial institutions send the one-time passwords in text messages. The secondary passcodes are needed to login to online accounts. The ZeuS Mitmo injects a fraudulent field into webpages that prompts users for their cellphone number and the type of handset they use. The criminals behind the operation then send the user an SMS message containing a link to malware that's customized to their Symbian or Blackberry phone. The malware automatically sends all mTANs sent to the handset to the ZeuS operators..."
* http://www.f-secure.com/weblog/archives/00002104.html


2011-03-06, 05:57

Botnets spew many trojans in February
- http://www.eweek.com/c/a/Security/Botnet-Trojan-Activity-Increased-in-February-553094/
2011-03-04 - "Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren’t far behind, according to several security reports. About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec’s February 2011 MessageLabs Intelligence Report*. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report. There was a lot of botnet activity in February, and the perpetrators appeared to be working together to some extent to distribute Trojans, according to Symantec. There were signs of integration across Zeus, Bredolab and SpyEye, as techniques associated with one malware family were being used by others, Symantec said in the report. The attacks were well-timed and used carefully targeted techniques, suggesting a “common origin” for these infected messages. One day, the messages would be propagating mainly Zeus variants, followed by a day dedicated to distributing SpyEye variants and later with Bredolab, in an alternating pattern, according to Paul Wood, MessageLabs Intelligence senior analyst. By the middle of the month, the variants propagated simultaneously with an advanced package that evaded traditional antivirus detection, he said. All the attacks used a .ZIP archive attachment containing malicious code. About 1.5 percent of blocked malware had malicious .ZIP attachments, and 79.2 percent of those files were connected to the Bredolab, Zeus and SpyEye attacks..."
* http://www.messagelabs.com/globalthreats


2011-03-09, 18:22

SpyEye/ZeuS target tracker sites...
- http://krebsonsecurity.com/2011/03/spyeye-zeus-users-target-tracker-sites/
March 9, 2011 - "Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result... A series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution... Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers... it is clear from these and other threads on this forum that the botmasters will continue devising new methods of disabling the trackers..."
(More detail and screenshots available at URL above.)

Data showing recent traffic spikes from DDoS attacks
- http://krebsonsecurity.com/wp-content/uploads/2011/03/spyzeusdns1.jpg


2011-03-16, 03:15

Skunkx DDoS Bot Analysis
- http://asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/
March 14th, 2011 - "... appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time. The bot’s capabilities include:
* Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
* Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
* Spread over USB, MSN, YahooMessenger
* “Visit” sites, speedtest
* Download and install, update, and remove arbitrary software
* Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
* Spread as a torrent file
* Steal logins stored in the SQLite DB by Mozilla
We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems... We have also been sinkholing this botnet. Inspection shows hundreds of bots checking in from around the world, with most in the US..."
Map showing botted hosts:
- http://farm6.static.flickr.com/5217/5513742272_bb6c467802_o.png

JKDDOS: DDoS bot...
- http://asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/
March 8th, 2011 - "... Looking back through our malware zoo, we observed our first JKDDOS sample as early as September 2009. Since then, we have analyzed almost 50 unique JKDDOS samples, the most recent of which we acquired in December 2010. Based on its recent history of attacks, the operators of this family appear to have an axe to grind against several relatively large international holding companies that have connections to the mining industry... The JKDDOS malware is distributed in the form of a relatively small executable that tends to vary widely in size across different samples; we have seen specimens as small as 17,408 bytes and as large as 240,997 bytes. The most common size for a JKDDOS sample is approximately 33.5 KB; recently, the JKDDOS samples we have analyzed have usually been packed whereas earlier samples were not... Once launched, a JKDDOS bot performs a fairly standard installation process. It copies itself into the C:\Windows\System32 directory. In an attempt to be stealthy, it will sometimes name the installed copy of itself so as to appear to be a legitimate system file..."

(More detail at both URLs above.)


2011-03-18, 02:19

Rustock botnet takedown...
- http://www.theregister.co.uk/2011/03/17/rustock_botnet_takedown/
17th March 2011 - "Spam volumes shrank on Wednesday after the prolific Rustock botnet fell silent, reportedly as a result of a takedown action*. Rustock, which is made up of a network of compromised (malware-infected) Windows PCs, turns an illicit income for its unknown controllers by being the biggest single source of global spam... SecureWorks... last month... said the author(s) of Rustock have pioneered a variety of techniques to evade detection on infected machines and to stymie security researchers hoping to unlock the secrets of its day-to-day operations... it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains..."
* http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes-plummet
March 16th, 2011 7:05 pm

- http://labs.m86security.com/2011/03/rustock-down/
March 16th, 2011 - "... A brief look at at our spam traps today confirmed that output from Rustock did indeed dry up today. The chart below shows an index of daily spam volume changes from Rustock over the last few weeks:
- http://labs.m86security.com/wp-content/uploads/2011/03/RustockSpam.png
... lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again..."

Operation b107 - Rustock Botnet Takedown
- http://blogs.technet.com/b/mmpc/archive/2011/03/18/operation-b107-rustock-botnet-takedown.aspx
17 Mar 2011 6:47 PM

- http://online.wsj.com/article/SB10001424052748703328404576207173861008758.html
MARCH 18, 2011 - "... U.S. marshals accompanied employees of Microsoft's digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be "command-and-control" machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines world-wide..."


2011-04-14, 00:21

Coreflood botnet takedown ...
- http://news.yahoo.com/s/afp/20110413/pl_afp/usitcrimecomputersecurityinternetcoreflood
April 13, 2011 WASHINGTON (AFP) – "The US authorities have disabled a vast network of virus-infected computers used by cyber criminals to steal passwords and financial information, the Justice Department and FBI announced Wednesday. The "Coreflood" botnet is believed to have operated for nearly a decade and to have infected more than two million computers around the world, they said in a joint statement. The Justice Department and FBI said charges of wire fraud, bank fraud and illegal interception of electronic communications had been filed against 13 suspects identified in court papers only as John Doe 1, John Doe 2, etc. Five computer servers and 29 Internet domain names were seized as part of the operation, described as the "most complete and comprehensive enforcement action ever taken by US authorities to disable an international botnet"... Coreflood, which exploited a vulnerability in computers running Microsoft's Windows operating systems, was used to steal usernames, passwords and other private personal and financial information, US officials said..."
- http://www.justice.gov/opa/pr/2011/April/11-crm-466.html
April 13, 2011 - More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme...

- http://krebsonsecurity.com/2011/04/u-s-government-takes-down-coreflood-botnet/
April 14, 2011
- http://www.fbi.gov/contact-us/field/new-haven-connecticut/
April 13, 2011

- http://www.secureworks.com/research/threats/coreflood/
June 2008


2011-04-26, 15:15

RBN IP List... updated
- http://securehomenetwork.blogspot.com/2011/03/rbn-ip-list-and-super-black-hole.html
March 20, 2011
> http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
26 Apr 2011
> http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt
25 Apr 2011


2011-04-27, 21:48

Zeus adds Investment Fraud...
- http://www.trusteer.com/print/node/1533
April 27, 2011 - "We recently discovered and investigated a very interesting new Zeus configuration sample that uses credible looking banner advertisements on major web sites to offer high rate of return investment opportunities. This attack is targeting some of the world’s leading and most trusted websites including: AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN, and many more. Adding investment fraud to its bag of tricks is a new twist for Zeus. These attacks have only one purpose – to lure users into investing their money through a very convincing and professional looking website, https ://ursinvestment .com, which is a fraud. We traced several examples of this configuration file to attacks on leading websites. In one case, the Zeus mechanism embeds banners on the targeted websites which -redirect- to https ://ursinvestment .com. We were surprised to see how well integrated the banner designs were with the attacked websites... The website is hosted on an IP address ( that originates from Germany. Huan-jun-net, an unknown network, is responsible for hosting the website..."
(Screenshots and more detail available at the Trusteer URL above.)

- http://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-crime-and-terrorism
April 12, 2011 - "... The Booming Business of Botnets: ... The botnets run by criminals could be used by cyber terrorists or nation states to steal sensitive data, raise funds, limit attribution of cyber attacks, or disrupt access to critical national infrastructure. Today’s botnets are often modular and can add or change functionality using internal update mechanisms... Some criminals rent or sell their botnets or operate them as a specialized portion of an ad hoc criminal organization. At least one botnet kit author implemented a copy protection scheme, similar to major commercial software releases, which attempts to limit unauthorized use of the botnet kit. Botnets that specialize in data exfiltration are able to capture the contents of encrypted webpages and modify them in real time. When properly configured, criminals can ask additional questions at login or modify the data displayed on the screen to conceal ongoing criminal activity. Criminals purchase the base kits for a few thousand dollars and can pay for additional features to better target specific webservices..."

:mad: :mad:

2011-05-09, 18:38

DDoS Bot - "Snap"...
- http://ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html
May 09, 2011 - "... a new DDoS bot on the block - "Snap". This modular bot differentiates itself by offering the ability to choose between different modules to be added to the final package, and by allowing to perform to "proprietary" DDoS functions, namely the TurboSYN, and TrafficDDoS. Next to its core DDoS functionality, the coder of the bot is differentiating by offering Form Grabbing; Reverse Socks; MailSpamming; IM-Spamming and Exploits launching functionality..."
(More detail at the URL above.)

- http://www.darkreading.com/taxonomy/index/printarticle/id/229403058
May 09, 2011

- https://www.verisign.co.uk/press/page_20100505.html
May 5, 2010 - "... Best Practices... DDoS Defense..."

:fear: :mad:

2011-05-17, 20:41

RBN activity seen - ISC ...
- http://isc.sans.org/diary.html?storyid=10888
Last Updated: 2011-05-17 14:05:17 UTC - "... latest log excursion started with two alerts from the ISC poll feature we have on the index page... other odd thing was that these two requests came in very close to each other but look very differently. If you look at the two IP addresses ( and, it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's "checkip" feature [1] shows that these are suggested to be part of the Russian Business Network... Got quite a few hits like that from AS 5577 hosts*..."
(More detail at the ISC URL above.)

[1] http://threatstop.com/checkip

* http://www.google.com/safebrowsing/diagnostic?site=AS:5577


2011-05-27, 15:38

Mariposa botnet is alive...
- http://blog.trendmicro.com/mariposapalevo-on-the-rise-again/
May 25, 2011 - "... despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name — Mariposa. We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same. WORM_PALEVO is a modularized bot mainly used to perform distributed denial-of-service (DDoS) attacks and to download other files. As a commercial bot, its modules can be separately bought should herders want to add features such as propagation, browser monitoring and hijacking, cookie stuffing, and flooding and download routines to their creations. The bots communicate with their C&C server using UDP, which firewall devices do not typically block..."
> http://blog.trendmicro.com/wp-content/uploads/2011/05/PALEVO.jpg


2011-06-22, 05:56

FBI scrubbed 19,000 PCs snared by Coreflood botnet
- http://krebsonsecurity.com/2011/06/fbi-scrubbed-19000-pcs-snared-by-coreflood-botnet/
June 21, 2011 - "The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built. In April, the Justice Department and the FBI were granted authority to seize control over Coreflood, a criminal botnet that enslaved millions of computers. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running..."
> http://krebsonsecurity.com/wp-content/uploads/2011/06/corefloodjune2011.jpg

- http://www.secureworks.com/research/threats/coreflood-report/?threat=coreflood-report
August 6, 2008


2011-06-30, 15:00

Butterfly botnet - steals financial information
- http://www.darkreading.com/taxonomy/index/printarticle/id/231000729
June 29, 2011 - "A financial-fraud botnet built with the same malware kit used in the now-defunct Mariposa botnet remains active after arrests this month of two Eastern European men who allegedly ran it. Researchers at Unveillance, Panda Labs, and Damballa have been studying the botnet, which has been dubbed "EvilFistSquad" by Damballa and "Metulji" by Unveillance and Panda, for some time now. Unveillance and Panda Labs today announced that the botnet has hit businesses and individuals across 172 or more countries, including the U.S., Russia, Brazil, China, Great Britain, India, and Iran. The botnet uses the Butterfly Bot Kit, a.k.a. Palevo, Pilleuz, and Rimecud, the malware that was used by the Mariposa botnet... researchers say the new Metulji/EvilFistSquad botnet uses Butterfly Bot malware to infect its victims, and then steals bank account credentials and other personal information. The worm spreads via removable drives, namely USB sticks. The researchers say that while some of the botnet's domains were taken down, several other domains are still up, running, and harvesting stolen information from victim machines..."


2011-06-30, 15:23

TDL-4 botnet - 4.5 million...
- https://www.computerworld.com/s/article/9218034/Massive_botnet_indestructible_say_researchers?taxonomyId=17&pageNumber=2
June 29, 2011 - "... Kaspersky* estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs. TDL-4's rootkit, encryption and communication practices, as well as its ability to disable other malware, including the well-known Zeus, makes the botnet extremely durable... TDL-4's counter-attacks against other malware was another reason it's so successful... TDL-4's makers use the botnet to plant additional malware on PCs, rent it out to others for that purpose and for distributed denial-of-service (DDoS) attacks, and to conduct spam and phishing campaigns. Kaspersky said TDL-4 has installed nearly 30 different malicious programs on the PCs it controls..."
* http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

- http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4#7
"... TDSSKiller*... detects not only the latest variant of the malware, but its previous versions as well..."
* http://support.kaspersky.com/faq?chapter=176492791&print=true&qid=208283363

- http://isc.sans.org/diary.html?storyid=11146
Last Updated: 2011-07-03 00:29:34 UTC


2011-07-26, 19:25

Blended attacks hit more Websites
- http://www.informationweek.com/news/security/vulnerabilities/231002568?printer_friendly=this-page
July 25, 2011 - "The average large business's website sees 27 attacks per minute, though attackers - thanks to automation - can create spikes of up to seven attacks per second, or about 25,000 attacks per hour. Those findings come from a new study, conducted by Imperva, of more than 10 million Web application attacks targeting the websites of 30 large businesses and government agencies, launched between January 2011 to May 2011. The study also assessed traffic that flowed via the onion router, better known as TOR, which helps anonymize Web traffic. The study found that the four most prevalent attacks against Web applications were directory traversal (37%), cross site scripting (36%), SQL injection (23%), and remote file include (4%), aka RFI. Attackers often employed those techniques in combination, whether to steal data, surreptitiously install malware on servers, or simply create a denial of service... Overall, most Web application attacks are launched from botnets* involving exploited PCs located in the United States (for 61% of attacks), followed by China (9%), Sweden (4%), and France (2%). But the identity of whoever's behind those attacks, and where they might be based, isn't clear..."
* http://blog.imperva.com/2011/07/web-applications-probed-once-every-two-minutes.html
July 25, 2011


2011-08-02, 20:49

Cybercrime more costly, more frequent ...
- http://www.darkreading.com/taxonomy/index/printarticle/id/231300021
Aug 02, 2011 - "Cybercrime is not only becoming more frequent - it's becoming more expensive for the victims... In its Second Annual Cost of Cybercrime study*, the Ponemon Institute surveyed 50 large companies to determine the losses and expenditures caused by cybercrime. The study, sponsored by security information and event management company HP ArcSight, indicates that the cost of cybercrime has risen 56 percent since last year's report. "We found that the median annualized cost of cybercrime for 50 organizations in our study is $5.9 million per year, with a range of $1.5 million to $36.5 million each year per company," the study says. Some of the other findings:
• Cybercrime cost varies by organizational size... smaller organizations incur a significantly higher per capita cost than larger-sized organizations ($1,088 vs. $284).
• The companies participating in the study experienced 72 successful attacks per week - or more than 1.4 successful attacks per organization. This figure has increased 44 percent over last year...
• The most costly cybercrimes are those caused by malicious code, denial-of-service, stolen or hijacked devices, and malicious insiders... These account for more than 90 percent of all cybercrime costs...
• Cyberattacks can get costly if not resolved quickly... The average time to resolve a cyberattack is 18 days, with an average cost of $415,748 over this 18-day period... a 67 percent increase from last year’s estimated average cost of $247,744...
• Results show that malicious insider attacks can take more than 45 days on average to contain... Information theft accounts for 40 percent of total external costs... disruption to business or lost productivity account for 28 percent of external costs...
• Recovery and detection are the most costly internal activities associated with cybercrime... Recovery and detection account for 45 percent of the total internal activity cost, most of it spent on cash outlays and labor. Having an SIEM system** can help..."
* http://www.arcsight.com/press/release/hp-research-ponemon/

** https://secure.wikimedia.org/wikipedia/en/wiki/SIEM

:fear: :mad:

2011-08-03, 01:46

Bitcoin mining bot... controlled via Twitter
- http://www.f-secure.com/weblog/archives/00002207.html
August 2, 2011 - "Bitcoin is an electronic currency which is not tied in value to any other currencies. You can convert other currencies (like US dollars) to Bitcoins, or you can mine new Bitcoins by completing complex mathematical tasks. This creates an incentive for botnet masters to use other people's computers to mine bitcoins for them. And we've seen a some examples of botnets that try to do this. But now we've found a bot that uses Twitter as the control channel. The bots are created with a generator. Generator sets a specific Twitter account to be the one which can be used to control the mining botnet... We detect bots generated with this generator as Trojan.Generic.KD."


2011-08-16, 18:41

Botnet-driven "Google Dorks" - automated cyber attacks...
- http://venturebeat.com/2011/08/16/watch-out-for-botnet-driven-google-dorks-the-next-automated-cyber-attacks/
August 16, 2011 - "... swarms of compromised computers are being unleashed for the first time on an old kind of vulnerability: Google Dorks. Google Dorks have been around for a while, as the name for an attack where hackers scan web sites, using commonly used links within company networks, to see if there are any unsecure links that can be used to break into a company’s web site. A report being released today by Imperva* warns that the combination of the highly automated botnets and the Google Dorks are a new vector for hackers to break into companies on a massive scale... The botnets can be used with a distributed search tool to find distinguishable resource names and specific error messages that say more than they should. Dorks are often exchanged between hackers in forums. Some of the lists of Dorks are posted on various web sites. Dorks and exploits go hand in hand. In the attack that Imperva observed, the attackers used dorks that match vulnerable web applications and search operators that were tailored to a specific search engine. For each unique search query, the botnet examined hundreds of returned results. Full told, the number of queries topped 550,000 queries, including one day with 81,000 queries — all via a single botnet. The attackers targeted e-commerce sites and content management systems. The more success they had, the more the attackers refined their search terms. Imperva saw 4,719 different variations of dorks used in the attacks. Fortunately, there are some solutions that Google, Bing and Yahoo can use to protect against these attacks. Search engines are in a unique position to identify botnets that abuse their services and can thus find out more about the attackers. The search engines can identify unusual queries such as those that contain terms from publicly available Dork databases, or queries that look for sensitive files..."
* http://blog.imperva.com/2011/08/google-dorks-20.html
August 16, 2011

- http://www.darkreading.com/taxonomy/index/printarticle/id/231500104
Aug 16, 2011


2011-09-06, 22:35

Rent-a-Bots tied to TDSS Botnet
- https://krebsonsecurity.com/2011/09/rent-a-bot-networks-tied-to-tdss-botnet/
September 6, 2011 - "... one of the world’s largest and most sophisticated botnets is openly renting its infected PCs to any and all comers, and has even created a Firefox add-on to assist customers. The TDSS botnet is the most sophisticated threat today... First launched in 2008, TDSS is now in its fourth major version (also known as TDL-4). The malware uses a “rootkit” to install itself deep within infected PCs, ensuring that it loads before the Microsoft Windows operating system starts. TDSS also removes approximately 20 malicious programs from host PCs, preventing systems from communicating with other bot families... when socks.dll is installed on a TDSS-infected computer, it notifies awmproxy .net that a new proxy is available for rent. Soon after that notification is completed, the infected PC starts to accept approximately 10 proxy requests each minute... The service’s proxies are priced according to exclusivity and length of use... The renting of hacked PCs for anonymous surfing is only one of the many ways the TDSS authors monetize their botnet..."
(More detail at the krebsonsecurity URL above.)

Some Botnet Statistics ...
> http://www.abuse.ch/?p=3294


2011-09-08, 15:16

Qbot now Digitally Signed ...
- http://blog.eset.com/2011/09/07/back-to-school-qbot-now-digitally-signed
September 7, 2011 - "... Win32/Qbot (a.k.a. Qakbot) are back with new variants of this infamous malware, and this time the binaries are digitally signed. Qbot is a multifunctional trojan that has had some significant impact in the past. It has also been around a while, with the first variants dating as far back as spring 2007, with more massive distribution starting two years later in 2009... Two weeks ago we caught the latest version with our advanced heuristics... the code of this Qbot version has been rewritten, but the functionality remains very similar to the previous versions. As a reminder, Qbot’s main purpose is stealing different types of sensitive information, including:
• Various user names and passwords
• Keystrokes
• Cookies
• Digital certificates
• Visited URLs
• And much more...
It features a backdoor, which enables the bot to be controlled remotely, update itself, download and run other executables on the infected system. It can also insert malicious IFRAME tags into webpages, has the possibility to block access to domains containing certain keywords (which it uses as an anti-AV feature), and can be used for man-in-the-middle attacks against victims’ online banking systems. Win32/Qbot uses rootkit techniques to hide its presence in the operating system and also has characteristics of a worm, as it can spread through network shares and removable drives..."
(Screenshots and more detail available at the eset URL above.)


2011-09-27, 23:06

Kelihos botnet shutdown
- https://www.computerworld.com/s/article/9220321/Striking_a_domain_provider_Microsoft_kills_off_a_botnet
September 27, 2011 - "Microsoft has opened a front in its ongoing battle against Internet scammers, using the power of a U.S. court to deal a knockout blow to an emerging botnet and taking offline a provider of free Internet domains. Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet... With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day - junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software..."

Operation b79 (Kelihos) and Additional MSRT September Release
- https://blogs.technet.com/b/mmpc/archive/2011/09/26/operation-b79-kelihos-and-additional-msrt-september-release.aspx
26 Sep 2011


2011-10-13, 15:38

Chinese DDoS malware
- http://asert.arbornetworks.com/2011/10/arbor-networks-at-virus-bulletin-2011/
October 5th, 2011 - "... Our malware stream contains a lot of DDoS bots, many from China*..."
* http://www.securelist.com/en/blog/208193152/Virus_Bulletin_2011_Chinese_DDoS_Bots
"... Over 40 families of Chinese DDoS bots were identified by Arbor Networks and have been tracked over the past year. Online occurance of the malware itself is increasing. A ton of these families are cropping up all the time, at least a new one every week appears with an unusual new capability... it is difficult to understand or even speculate what the motivation behind the attack may be. Most of the code base is shared, cobbled together, and generally was thrown together by inexperienced writers... One of these familes represents the "typical" Chinese DDoS bot: darkshell is a great example of the rudimentary and simple level of network traffic obfuscation, but it's as sophisticated as it gets for these families... The bots use a very basic installation to Windows service and some use http, but most use raw tcp connections to their command and control (CnC) servers residing at 3322 .org or 8866 .org free dynamic dns providers' domains... The Chinese DDoS attack engines that make these bot families unique from other regional bots is the very large set of DDoS attack capabilities maintained in each. Winsock2-based HTTP flood capabilities were the most common or the bots' DDoS capabilities and are used to take down web sites, followed by UDP, TCP and ICMP flood capabilities...yoyoddos is the most active of the DDoS families that they are tracking. The family also maintains the first spot as sustaining the longest attack against a site of these CN DDoS families. This one launched a particular attack for 45 days straight... Chinese web sites are not the only recipients of the DDoS attacks. jkddos tends to go after large, very prominent, financial and investment companies. On 6 different occasions the family was used to DDoS a very large and prominent NYC commercial real estate holding company, and its longest attack was 33 hours. It's a new and somewhat unexpected area of bad online behavior."

> http://google.com/safebrowsing/diagnostic?site=3322.org/
"... Part of this site was listed for suspicious activity 23 time(s) over the past 90 days... Malicious software includes 2040 exploit(s), 1341 trojan(s), 145 backdoor(s)... this site has hosted malicious software over the past 90 days. It infected 254 domain(s)..."
> http://google.com/safebrowsing/diagnostic?site=8866.org/
"... Part of this site was listed for suspicious activity 8 time(s) over the past 90 days... Malicious software includes 162 exploit(s), 77 scripting exploit(s), 38 trojan(s)... this site has hosted malicious software over the past 90 days. It infected 133 domain(s)..."

Aldi Bot...
- http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/
October 5th, 2011 - "... Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points. We see the bot active in Russia, the Ukraine, the US, and Germany. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use... All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach... attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access. Additionally Aldi Bot steals passwords, and passwords are often re-used for convenience even though it is a dangerous practice. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk... While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php on the web-based back-end as a “drop zone” to process stolen data."
- http://www.h-online.com/security/news/item/Malware-for-everyone-Aldi-Bot-at-a-discount-price-1346594.html?view=zoom;zoom=2


2011-11-10, 18:58

Biggest Cybercriminal Takedown in History
- http://blog.trendmicro.com/esthost-taken-down-%E2%80%93-biggest-cybercriminal-takedown-in-history/
Nov. 9, 2011 - "... a long-living botnet of more than 4,000,000 bots was taken down by the FBI* and Estonian police in cooperation with Trend Micro and a number of other industry partners... The botnet consisted of infected computers whose Domain Name Server (DNS) settings were -changed- to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.... a collaboration also led to the arrest of the bad actors responsible for the botnet, despite the fact that the takedown of Rove Digital was complicated and took a lot of effort... Other industry partners did a tremendous job by making sure that the takedown of the botnet happened in a controlled way, with minimal inconvenience for the infected customers..."

* http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911
11/09/11 - "Six Estonian nationals have been arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other viruses... DNSChanger was used to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity..."
> (More detail at the FBI URL above.)
> http://www.fbi.gov/news/stories/2011/november/malware_110911/image/dns-malware-graphic

Video: http://www.symantec.com/avcenter/reference/drive-by-pharming-animation.html

- https://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/
Nov. 9, 2011

- https://www.us-cert.gov/current/#operation_ghost_click_malware
November 10, 2011

How to check if you are a victim...
> http://countermeasures.trendmicro.eu/how-to-check-if-you-are-a-victim-of-operation-ghost-click/
Nov. 9, 2011

:spider: :blink: ;)

2011-11-29, 14:08

P2P variant of Zeusbot/Spyeye...
- http://www.symantec.com/connect/blogs/cracking-new-p2p-variant-zeusbotspyeye
Nov. 28, 2011 - "... Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.) To overcome these limitations the attackers have now decided to use P2P. This modified variant of Zeusbot/Spyeye contains a list of IP addresses to contact. These IPs are not servers; they are other infected clients (peers). These clients provide configuration data, which in turn contains the URL of the main C&C server. In this modified way, even if the C&C server is taken down, the P2P network remains alive and can be fuelled with a new configuration file pointing to a new URL for a new C&C server. Can the P2P network be shut down? No (at least, not easily). The IP addresses in the P2P network cannot be blocked because, in most cases, they would be normal broadband IPs (home users and work computers, for instance) and blocking them would disrupt legitimate network traffic. Also, the list of peers can update so frequently that tracking them proves difficult. Using a P2P network this way is more resistant than just a single C&C URL, and can considerably prolong a botnet’s lifetime... We have found several samples in the wild which all seem to originate from a single source... We suspect those responsible for spreading this new variant may have access to the source code and upgraded the bot with all the new features... In total we observed 327 unique peers*, so an estimation of the number of infected machines could be anywhere from 500 to 1000... It has been reported that this threat has been spreading through spam emails and drive-by download exploits, so, in order to mitigate the risk of infection, we recommend users keep their computers updated and beware of email from unknown or unverified sources..."
* http://www.symantec.com/connect/sites/default/files/images/image11_0.png
Infection geographical distribution