Pandemic of the botnets 2012 ...

AplusWebMaster

New member
Advisor Team
FYI...

Etrade DDoS attack ...
- http://www.theregister.co.uk/2012/01/05/etrade_in_ddos_attack/
January 5, 2012 - "... online broker ETrade, has been the target of a sustained malicious offshore generated cyber attack. The denial-of-service attack resulted in thousands of emails flooding the broking site, prompting a cessation of services from Christmas Eve to the New Year period. According to a Fairfax report*, offshore Etrade clients were the worst affected with some countries unable to access accounts for almost two weeks. An ETrade spokesperson confirmed that while overseas clients were more profoundly affected, Australian clients had intermittent access to their accounts... The Sydney Morning Herald reported** that St George customers were also affected by the attack as its online trading service is supplied by Etrade."
* http://www.theage.com.au/business/cyber-attack-strands-etrade-customers-20120104-1pl3x.html
January 5, 2012
** http://www.smh.com.au/business/st-george-service-hit-by-etrade-cyber-attack-20120105-1pmrs.html
January 6, 2012

- http://www.theage.com.au/business/cyber-attack-strands-etrade-customers-20120104-1pl3x.html
Jan 5, 2012 - "... While a denial-of-service attack prevents customers and the business from trading, it can also mask other illegal activities. Observers say businesses that have denial-of-service attacks not only lose the value of the business they would have conducted but also goodwill and reputation with the customer base..."

Global Denial of Service
- http://atlas.arbor.net/summary/dos
Summary Report - (Past 24 hours)

:fear: :spider: :mad:
 
Last edited:
Carberp on Facebook

FYI...

Carberp on Facebook
- http://www.theregister.co.uk/2012/01/18/carberp_steals_e_cash_facebook/
January 18, 2012 - "... Carberp, like its predecessors ZeuS and SpyEye, infects machines by tricking punters into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites. A new configuration of the Carberp Trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer*, can be considered something of an escalation. The Carberp variant replaces any Facebook page the user navigates to with a -fake- page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page asks the mark for their first name, last name, email, date of birth, password and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account... Trusteer warns the cash voucher attack is in some ways worse than credit card fraud, because with e-cash it is the account-holder, -not- the financial institution, who assumes the liability for fraudulent transactions..."
* http://www.trusteer.com/blog/carberp-steals-e-cash-vouchers-facebook-users

Bot blackmails Facebook users
- http://h-online.com/-1417073
19 January 2012 >> http://www.h-online.com/security/ne...-Facebook-users-1417073.html?view=zoom;zoom=1
___

Some Botnet Stats
- http://www.abuse.ch/?p=3294

Lies, Damn Lies, and Botnet Size
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100705

:mad:
 
Last edited:
Koobface goes silent...

FYI...

Koobface goes silent...
- http://www.reuters.com/article/2012/01/19/us-facebook-cybersecurity-idUSTRE80I05720120119
18 January 2012 - "... a pair of researchers on Tuesday published the names, aliases and photographs of a gang they accused of running a criminal enterprise known as Koobface that had primarily targeted Facebook after it cropped up in 2008. German security researchers Jan Droemer and Dirk Kollberg said that servers that ran the Koobface operation stopped responding on Tuesday morning after they released an in-depth report via Kollberg's employer, the UK anti-virus software maker Sophos*... the Koobface gang had continued to target other social networks as a long-running FBI probe failed to result in arrests in Russia... None of the five alleged members of the hacking group could immediately be traced to the reported office addresses or phone numbers in St Petersburg, Russia... The two German researchers said they suspected that the hackers had been working out of a third location in St. Petersburg..."
* http://nakedsecurity.sophos.com/2012/01/17/how-koobface-malware-gang-unmasked/
January 17, 2012

- https://www.nytimes.com/2012/01/17/...worm-operates-in-the-open.html?ref=technology
January 16, 2012 - "... These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor... Russia, in particular, has a reputation as a hacker haven, although it has pursued several prominent cases against spammers recently..."
___

Kelihos botnet -aka- Waledac
- http://blogs.technet.com/b/microsof...soft-names-new-defendant-in-kelihos-case.aspx
23 Jan 2012 - "... Although the Kelihos botnet remains inactive since the successful takedown in September, thousands of computers are still infected with its malware. Please visit: http://www.support.microsoft.com/botnets for free information and tools to clean your computer from malicious software..."

- https://krebsonsecurity.com/2012/01/microsoft-worm-author-worked-at-antivirus-firm/
January 24, 2012
- http://www.gfi.com/blog/the-microsoft-kelihos-tango-continues/
January 24, 2012

:fear: :spider:
 
Last edited:
Carberp targets French broadband users

FYI...

Carberp targets French broadband users...
- https://www.trusteer.com/blog/internet-not-free-–-carberp-targets-french-broadband-subscribers
January 25, 2012 - "... recently discovered a configuration of Carberp that targets Free, a French broadband Internet service provider (ISP). The attack is designed to steal debit card and bank information using a Man in the Browser (MitB) attack. Free offers an ADSL service, called Freebox, to its customers. When subscribers visit their online account page Carberp launches an HTML Injection attack after the user has logged-in. The victim is presented with a page that claims Free is having a problem processing their monthly subscription payments with the financial institution, and requests that the user update their payment account details... The malware then asks the user to submit their payment card number, expiration date, security code (CVV2), bank name, bank address, zip code and city. The victim is told that this information must be updated in order to make monthly payments and maintain their service... This latest Carberp attack is another example of fraudsters moving downstream from online banking applications to web sites that process debit and credit card payments. By launching MitB attacks that target customers of third party service providers, rather than the banks themselves, fraudsters can prey on the trust established between the victim and a non-financial entity like an ISP..."

- http://www.infosecurity-magazine.co...-generation-of-financial-malware-on-the-rise/
18 January 2012

- http://www.microsoft.com/security/p...ntry.aspx?Name=Win32/Carberp#techdetails_link
___

- http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity
Jan 26, 2012 - "... According to our data Carberp’s main activity is confined to the region of Russia and the former Soviet republics, and this activity centered on fraud targeting the major Russian banks and stealing money from RBS (Remote Banking Service) systems... The Russian Federation is the country where the largest number of installations of Carberp has been seen*... Another interesting fact concerns a new DDoS plugin (Win32/Mishigy.AB) for Carberp. This DDoS plugin was developed in Delphi 7 and based on the network components from the Synapse TCP/IP library. Synapse components are very popular among cybercriminals for the creation of DDoS bots... Carberp is one of the biggest botnets in Russian Federation and total number of active bots is estimated to number millions of infected hosts..."
* http://blog.eset.com/wp-content/media_files/stat_country.png

:mad::mad:
 
Last edited:
Drive-by downloads and Blackhole

FYI...

Drive-by downloads and Blackhole
- http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-09.aspx
26 Jan 2012 - "... The most popular drive-by malware we’ve seen recently is called Blackhole. It’s marketed and sold to cybercriminals in a typical professional crimeware kit that provides web administration capabilities. But it offers sophisticated techniques to generate malicious code. And it’s very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious... Blackhole mainly spreads malware through compromised websites that redirect to an exploit site, although we’ve also seen cybercriminals use -spam- to redirect users to these sites. This year we’ve seen numerous waves of attacks against thousands of legitimate sites. We’ve also noticed cybercriminals abusing a number of free hosting sites to set up new sites specifically to host Blackhole. Just like the Blackhole kit itself, the code injected into the legitimate sites is heavily obfuscated and polymorphic, making it harder to detect. The typical payloads we see from Blackhole exploit sites include:
Bot-type malware such as Zbot (aka Zeus)
Rootkit droppers (for example TDL and ZeroAccess)
Fake antivirus
Typically, the malware on these sites target Java, Flash and PDF vulnerabilities. At SophosLabs we saw a continual bombardment of new PDF, Flash, Java and JavaScript components each day for several months at the end of 2011. We’ve seen a huge rise in the volume of malicious Java files, virtually all of it from exploit sites such as Blackhole..."

:mad: :sad:
 
Spearphishing attacks - gov't related targets worldwide

FYI...

Spearphishing attacks - gov't related targets worldwide
Malware backdoors government-targeted kit 'using Adobe 0-days'
- http://www.theregister.co.uk/2012/02/01/spear_phishing_rats/
1 Feb 2012 - "... spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed security flaws in Adobe software to implant a Trojan on compromised machines - ultimately opening a backdoor for hackers to take over systems. Once loaded, the malware also cunningly attempts to escape detection by posing as a benign Windows Update utility..."

> http://blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html
Jan 31, 2012 - "... Seculert and Zscaler identified similar command and control (C&C) beacon patterns... matching the domain registration info of some of the C&C observed (for example, siseau .com, vssigma .com, etc.), we linked the new "MSUpdater" Trojan to previous attacks, probably conducted by the same group... The targeted attacks... share a few similar technical parameters (thus, regarded as created by the same group of attackers) arrive in emails with a malicious PDF attachment..."

> http://research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html
Jan 31, 2012 - "... we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present... The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C)... The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan. Correlating this information with open-source intelligence (OSINT), we were able to find other reports of this Trojan within past targeted incidents, as well as a link to other incidents and compromise indicators..."
___

- http://www.h-online.com/security/ne...-defence-sector-1427605.html?view=zoom;zoom=1
3 February 2012

:fear::mad::fear:
 
Last edited:
Kelihos botnet ...

FYI...

Kelihos botnet remains very much dead after all
- http://arstechnica.com/business/news/2012/02/kelihos-botnet-remains-dead-after-all.ars
Feb 3, 2012
___

Kelihos botnet resurrected...
- http://arstechnica.com/business/new...-botnet-still-spams-from-beyond-the-grave.ars
Feb 1, 2012 - "A botnet capable of delivering almost four billion spam messages per day has been confirmed resurrected — more than four months after Microsoft celebrated its untimely demise. Researchers with Kaspersky Lab* reported on Tuesday that Kelihos, a peer-to-peer botnet that also goes by the name Hlux, continues to spew spam in a variety of languages...
Update: After this article was published, Microsoft sent the following statement:
"... Microsoft is working with Kaspersky to investigate this question and will provide more information when it becomes available..."
* http://www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques
Jan 31, 2012

:mad:
 
Last edited:
Cellphone bots ...

FYI...

Cellphone bots ...
- http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet
Updated: 09 Feb 2012 - "... The -malware- was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware... the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands... the botmaster has been operating at these rates since September 2011. The botnet targets mobile users in China... Revenue generation through premium SMS, telephony, and video services is also limited to the networks of China's two largest mobile carriers... Upon running the Trojanized application, -both- the original clean software and a malicious application (Android.Bmaster*) are installed. Once the malware is installed, an outbound connection from the infected phone to a remote server is generated... SMS numbers in China tend to cost around $0.15 to $0.30 per message, and while this may not seem particularly expensive, it quickly adds up when you factor in the number of the active, infected devices on the botnet and how most users likely would not notice the infection right away. Taking our two example dates as the lower and upper bounds of the number of active infected devices, we can see the botmaster is generating anywhere between $1,600 to $9,000 per day and $547,500 to $3,285,000 per year the botnet is running..."
* http://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1823
Last revised: 09/07/2011
CVSS v2 Base Score: 7.2 (HIGH)
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service...

:mad:
 
Last edited:
Citadel botnets ...

FYI...

Citadel botnets... rapid growth
- https://krebsonsecurity.com/2012/02/collaboration-feuls-rapdid-growth-of-citadel-trojan/
Feb 9, 2012 - "... researchers there said that they’d observed at least five new versions of Citadel since first spotting the malware on Dec. 17, 2011. Seculert’s Aviv Raff said that means the miscreants behind Citadel are pushing out a new version of the Trojan about once a week..."
- http://blog.seculert.com/2012/02/citadel-open-source-malware-project.html
Feb 8, 2012 - "A few weeks ago, Brian Krebs reported* on Citadel, a new variant of the Zeus Trojan. Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem... They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware... Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution - an open-source malware... Seculert's Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011. The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets**..."
** http://3.bp.blogspot.com/-rL0YPxLvhHw/TzLb31lbmXI/AAAAAAAAAEs/VUE5fuNvv0A/s1600/citadelstats.png
(Infection rate per country of several Citadel botnets, infecting over 100,000 machines)

* https://krebsonsecurity.com/2012/01/citadel-trojan-touts-trouble-ticket-system/
Jan 23rd, 2012 - "... Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity... The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation..."

:mad::mad:
 
Last edited:
Waledac malware returns... with password-stealing ...

FYI...

Waledac malware returns... with password-stealing ...
- https://www.computerworld.com/s/art...two_years_with_password_stealing_capabilities
Feb 16, 2012 - "A new version of the Waledac malware has been spotted on the Internet, but unlike previous variants, which were mainly used for spamming purposes, this one steals various log-in credentials and BitCoins, a type of virtual currency... researchers from network security firm Palo Alto Networks announced in a blog post*... it also steals FTP, POP3 and SMTP user passwords, as well as .dat files for BitCoin wallets. This is the first time that Palo Alto Networks' firewall products have spotted Waledac-related activity since the original botnet was shut down two years ago... the new Waledac version is being distributed through Web sessions, probably with the help of exploits hosted on compromised websites..."
* http://www.paloaltonetworks.com/res...ledac-returns…and-its-serving-more-than-spam/
"... it is important to note that this is a -new- variant of the botnet, and not the original version..."

:fear: :mad:
 
DNS Changer working group ...

FYI...

DNS Changer working group ...
- https://krebsonsecurity.com/2012/02...s-govt-still-infected-with-dnschanger-trojan/
"... Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web... there are still -millions- of PCs infected with DNSChanger... Even if the DNS Changer working group manages to get the deadline extended, the cleanup process will likely take many years. At least, that’s been the experience of the the Conficker Working Group, a similar industry consortium that was created to help contain and clean up infections from the infamous Conficker Worm. That working group was formed in 2009, yet according to the group’s latest statistics, nearly 3 million systems remain infected with Conficker. Given the Conficker Working Group’s experience, shutting down the surrogate DNS network on March 8 may actually be a faster — albeit more painful — way to clean up the problem... Home users can avail themselves of step-by-step instructions at this link* to learn of possible DNSChanger infections..."
* DNS Changer Working Group (DCWG) - Checking for DNS Changer >> http://dcwg.org/checkup.html

DNS Changer Eye Chart: http://dns-ok.us/

:fear::spider:
 
Last edited:
Cutwail botnet is back ...

FYI...

Cutwail botnet is back ...
- http://h-online.com/-1437644
20 Feb 2012 - "According to M86 Security*, the infamous Cutwail botnet (aka Pandex, Mutant and Pushdo) appears to have been reactivated.... in the past few weeks they have registered several waves of HTML emails that were infected with malicious JavaScript and probably originated from Cutwail-infected PCs... the volume of infected emails was 50 times higher between 23 and 25 January, and three further waves from 6 February were found to be as much as 200 times higher. Infected emails had subject lines such as "FDIC Suspended Bank Account", "End of August Statement" and "Scan from Xerox WorkCentre". The embedded JavaScript code tries to inject malware into computers through various security holes in, for example, old versions of Acrobat Reader. In some cases, the "Cridex" data-stealing trojan has been installed. The botnet uses the "Phoenix Exploit Kit", which... achieves infection rates of more than fifteen per cent. In early January**, details of the operators of the Cutwail botnet became public."
* http://labs.m86security.com/2012/02/cutwail-drives-spike-in-malicious-html-attachment-spam/

** http://h-online.com/-1403253

:mad:
 
DNS Changer - Surrogate svrs Operation extention Request filed

FYI...

DNS Changer - Surrogate servers Operation extention Request filed
- https://krebsonsecurity.com/2012/02/feds-request-dnschanger-deadline-extension/
Feb 22, 2012 - "... In a Feb. 17 filing with the U.S. District Court for the Southern District of New York, officials with the U.S. Justice Department, the U.S. Attorney for the Southern District of New York, and NASA asked the court to extend the March 8 deadline by more than four months to give ISPs, private companies and the government more time to clean up the mess. The government requested that the -surrogate- servers be allowed to stay in operation until July 9, 2012. The court has yet to rule on the request, a copy of which is available here (PDF)*... the six Estonian men arrested and accused of building and profiting from the DNSChanger botnet are expected to be extradited to face computer intrusion and conspiracy charges in the United States..."
* http://krebsonsecurity.com/wp-content/uploads/2012/02/dnschangerextension.pdf
___

DNS Changer Working Group (DCWG) - Check for DNS Changer >> http://dcwg.org/checkup.html

DNS Changer Eye Chart:
DNS configuration test pages (Eye-chart):
http://dns-ok.de/
http://dns-ok.fi
http://dns.ax
http://dns-ok.us ...
___

- http://www.internetidentity.com/new...ent-agencies-infected-with-dnschanger-malware
Feb 2, 2012 - "... IID found at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012..."

- https://www.computerworld.com/s/art...S_Changer_extension_to_keep_400K_users_online
Feb 22, 2012 - "... the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web last month. Each IP address represented at least one computer, and in some cases, numerous machines..."

:fear::fear:
 
Last edited:
DDoS attacks - H2 2011

FYI...

DDoS attacks - H2 2011
- http://www.securelist.com/en/analysis/204792221/DDoS_attacks_in_H2_2011#p1
02.22.2012 - "... launched from computers located in 201 countries around the world... DDoS attack sources have changed... new leaders: Russia (16%), Ukraine (12%), Thailand (7%) and Malaysia (6%)... zombie computers from 19 other countries ranges between 2% and 4%..."
DDoS traffic sources by country – H2 2011: http://www.securelist.com/en/images/vlill/gar_nam_pic04_en.png

:mad::mad:
 
ZeuS-SpyEye P2P use – banking Trojans ...

FYI...

ZeuS-SpyEye P2P use – banking Trojans ...
- http://www.theregister.co.uk/2012/02/27/p2p_zeus/
27 Feb 2012 - "New variants of the Zeusbot/SpyEye cybercrime toolkit are moving away from reliance on command-and-control (C&C) servers towards a peer-to-peer architecture... Now cybercrooks have built functionality into Zeusbot/SpyEye that allows instructions to be distributed via P2P techniques as well, eliminating the need for C&C servers. Compromised systems are now capable of downloading commands, configuration files, and executables from other bots, a write-up by security researchers at Symantec explains*... tracking banking botnet activity and identifying the cybercrooks behind such networks is likely to become more difficult as a result of the architectural changes that have come with the latest version of ZeuS/SpyEye... Other changes to the malware creation toolkit include greater reliance on UDP communications – a stateless protocol that's harder to track and dump than TCP – as well as an extra encryption layer. Both ZeuS and SpyEye are best described as cybercrime toolkits that can be used for the creation of customised banking Trojans. The code base of the two former rivals was merged last year, leading to the creation of strains designed to target mobile banking customers..."
* http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

:mad: :fear:
 
DNS Changer gets extension for infected PCs fix...

FYI...

DNS Changer gets extension for infected PCs fix...
- https://krebsonsecurity.com/2012/03/court-4-more-months-for-dnschanger-infected-pcs/
Mar 6, 2012 - "Millions of PCs sickened by a global computer contagion known as DNSChanger were slated to have their life support yanked on March 8. But an order handed down Monday by a federal judge will delay that disconnection by 120 days to give companies, businesses and governments more time to respond to the epidemic. The reprieve came late Monday, when the judge overseeing the U.S. government’s landmark case against an international cyber fraud network agreed that extending the deadline was necessary “to continue to provide remediation details to industry channels approved by the FBI”..."
___

DNS Changer Eye Chart:
New: http://www.dcwg.org/detect/

- https://www.us-cert.gov/current/#dnschanger_malware
April 24, 2012
___

Tool available for those affected by the DNS-Changer
- https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199
Last updated: Feb 2, 2012 - "... a restart of Windows will be necessary after the execution of the tool and a successful repair."

Download Avira DNS Repair-Tool
- https://www.avira.com/files/support/FAQ_KB_Download_Files/EN/AviraDNSRepairEN.exe
___

- https://www.us-cert.gov/current/archive/2012/03/07/archive.html#operation_ghost_click_malware
updated March 7, 2012 - "... new deadline is July 9, 2012..."

:fear::fear:
 
Last edited:
Zeus botnets disrupted ...

FYI...

Zeus botnets disrupted ...
- https://blogs.technet.com/b/mmpc/ar...ers-disrupt-zeus-botnets.aspx?Redirected=true
25 Mar 2012 - "... This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71* to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot). Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat. The Zbot/Zeus threat has targeted the financial sector for quite some time... Millions of dollars of fraud are a result of this family of threat and it has taken cross-industry collaboration to take effective action against it. Microsoft has partnered with FS-ISAC, NACHA, Kyrus Tech, F-Secure and others to disrupt a large portion of the command and control infrastructure of various botnets using Zbot, Spyeye and Ice IX variants of the Zeus family of malware... MMPC is committed to partnering across the industry to help disrupt threats to the Internet and our customers. We will have more to share on Project MARS and related operations as we move forward."
* https://blogs.technet.com/b/microso...ations-from-zeus-botnets.aspx?Redirected=true

- https://www.f-secure.com/weblog/archives/00002337.html
March 26, 2012 - "... abuse.ch's ZeuS Tracker* are currently reporting 350 C&C servers online, so there's plenty more work to do done..."
* https://zeustracker.abuse.ch/index.php
___

- http://www.theinquirer.net/inquirer/news/2163487/microsoft-attacks-worst-zeus-botnets
Mar 26 2012 - "... Microsoft said it has detected more than 13 million suspected infections of this malware worldwide..."
- http://www.theregister.co.uk/2012/03/26/zeus_botnet_takedown/
March 26, 2012
- https://www.nytimes.com/2012/03/26/technology/microsoft-raids-tackle-online-crime.html
March 26, 2012

:fear: :bigthumb:
 
Last edited:
Kelihos.B botnet sinkholed...

FYI...

Kelihos.B botnet sinkholed...
- http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html
March 28, 2012 - "... CrowdStrike has teamed up with security experts from Dell SecureWorks, the Honeynet Project and Kaspersky to take out a peer-to-peer botnet which we believe is the newest offspring of a family that has been around since 2007: Kelihos.B, a successor of Kelihos, Waledac and the Storm Worm. Traditionally, the botnets in this family are known for spamming, but the newest version is also capable of stealing bitcoin wallets from infected computers... Just like its brothers, Kelihos.B relies on a self-organizing, dynamic peer-to-peer topology to make its infrastructure more resilient against takedown attempts. It further uses a distributed layer of command-and-control servers with hosts registered in countries like Sweden, Russia, and Ukraine that are in turn controlled by the botmaster... We are working with our partners to inform ISPs about infections in their network and make sure that Kelihos.B remains safely sinkholed..."

- https://krebsonsecurity.com/2012/03/researchers-clobber-khelios-spam-botnet/
March 28, 2012

OS versions - botted w/Kelihos.B
- https://www.securelist.com/en/images/pictures/klblog/208193433.jpg
Bot locations:
- https://www.securelist.com/en/images/pictures/klblog/208193434.jpg

- http://www.darkreading.com/taxonomy/index/printarticle/id/232700418
Mar 28, 2012

- http://www.secureworks.com/research/threats/waledac_kelihos_botnet_takeover/
28 March 2012

- https://www.virustotal.com/file/c69...56c84edb1244c00f20ad0653619909e3aae/analysis/
File name: db95341667fb5e5553a1cb0113e21205
Detection ratio: 13/42
Analysis date: 2012-03-27 19:51:52 UTC
- https://www.virustotal.com/file/9da...2917766601964495971eaab569f8764da4c/analysis/
File name: 84cbcfababd4eafd1a8a4872b9169362
Detection ratio: 15/42
Analysis date: 2012-03-27 20:06:04 UTC

:fear::fear:
 
Last edited:
Kelihos.B - still live and social

FYI...

Kelihos.B - still live and social
- http://blog.seculert.com/2012/03/kelihosb-is-still-live-and-social.html
March 29, 2012 - "... Several weeks ago, Seculert discovered that Kelihos.B had found a new and "social way" to expand, using an already-known social worm malware*, but now it had started targeting Facebook users... Up to now Seculert has identified more than 70,000 Facebook users that are infected with the Facebook worm, and sending the malicious links to their Facebook friends...
[Pie chart/infections by country]: http://3.bp.blogspot.com/-h4itoyKTpV4/T3QgNunuEGI/AAAAAAAAAFo/s4gAjtY2SrQ/s1600/fbwormstats.png
... at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm. Also, there is there is still communication activity of this malware with the Command-and-Control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam. Some might call this "a new variant", or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B."
* http://blog.emsisoft.com/2011/04/19/download-photoalbum-another-variant-of-i-got-u-surprise/

:mad: :sad:
 
Mac botnet 550,000 strong

FYI...

550,000 strong Mac botnet
- http://news.drweb.com/?i=2341&c=5&lng=en&p=0
April 4, 2012 - "... Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507)... Over 550,000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback* modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth..."
* http://vms.drweb.com/search/?q=BackDoor.Flashback

Charted: https://st.drweb.com/static/new-www/news/2012/april/map2.1.png

- https://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
April 06, 2012 Kaspersky - "... we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses... More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs..."
___

- https://krebsonsecurity.com/2012/04/urgent-fix-for-zero-day-mac-java-flaw/
April 4th, 2012

Trojan-Downloader:OSX/Flashback.I
- https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
Detection Names: Exploit:Java/Flashback.I, Trojan-Downloader:OSX/Flashback.I, Trojan:OSX/Flashback.I, Backdoor: OSX/Flashback.I
Category: Malware
Type: Trojan-Downloader
Platform: OSX
"... Manual Removal... recommended only for advanced users..."

:mad:
 
Last edited:
Back
Top