View Full Version : Pandemic of the Botnets 2013

2013-01-18, 17:51

Virut botnet takedown ...
- https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/
Jan 18, 2013 - "Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals... Some of the domains identified in the takedown effort — including ircgalaxy .pl and zief .pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats... The action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a spam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010... Virut is often transmitted via removable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines behind massive malware deployment systems known as pay-per-install (PPI) networks... It’s not clear how the actions by NASK will impact the long-term operations of the Virut botnet. Many of Virut’s control servers are located outside the reach of NASK, at Russian top-level domain name registrars (.ru). Also, Virut has a failsafe mechanism built to defeat targeted attacks on its infrastructure..."

Botnets Are Everywhere – See How They Spread ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/botnets-are-everywhere-see-how-they-spread-in-trend-micro-global-botnet-map/
Jan 14, 2013 - "Cybercriminals today create and use botnets to perpetrate their criminal activities. Whether it is to send out Blackhole Exploit Kit spam or to use as entry points into organizations, the one constant is that most bots (victim computers) communicate back and forth with command and control (C&C) servers... we’re publishing a new global map* showing active C&C servers, highlighted by red dots, and bots (victim computers), highlighted by blue dots, to show you where these botnets are located in the world..."
* http://www.trendmicro.com/us/security-intelligence/current-threat-activity/global-botnet-map/index.html

- http://www.symantec.com/connect/blogs/snapshot-virut-botnet-after-interruption
7 Jan 2013 - "... the Virut botnet is estimated at approximately 308,000 unique compromised computers that are active on a given day..."

:mad: :mad:

2013-01-24, 16:03

Gozi takedown - and its distributor
- http://arstechnica.com/security/2013/01/how-the-feds-put-a-bullet-in-a-bulletproof-web-host/
Jan 24, 2013 - "... starting in 2010, the FBI launched an investigation. It didn't take long to find Gozi's creator, a 25-year-old Moscow resident named Nikita Kuzmin. By November 2010, Kuzmin had been arrested during a trip to the US; by May 2011 he pleaded guilty and agreed to forfeit his Gozi earnings, which might reach up to $50 million. Deniss Čalovskis, the 27-year-old Latvian man who allegedly coded the Web injects and customized them for various banks was picked up by Latvian police in November 2012. But it was the bulletproof host behind Gozi who turned out to be the most interesting catch — and who took longest to reel in... FBI agents collected an incredible trove of data on the Gozi conspirators. According to court documents, this data cache included wiretaps, seized servers, an interview with a Gozi distributor, and even a host of chat logs lifted from a server used by the criminals behind Gozi. Despite all that, in the end what brought down the bulletproof host was as simple as a cell phone number. With the number in hand, the FBI worked with the Romanian Police Directorate for Combating Organized Crime (DCCO), since the number was based in Bucharest. The DCCO obtained court permission to tap the phone, then agents listened to calls, watched text messages, and intercepted Web addresses and passwords entered on the handset for three months in the spring of 2012... Last month, Romanian police arrested him bringing the Gozi story to a close. The US government revealed the three arrests today. They unsealed indictments against Kuzim, Čalovskis, and Paunescu which make clear just how young all three men were when the alleged criminal behavior began. Kuzmin got started with Gozi back in 2005, when he was just 18. Čalovskis was allegedly involved since he was 20. Paunescu is only 28 now, and has allegedly been in the bulletproof hosting business for years. Kuzmin pleaded guilty and will be sentenced in the US, where he faces a maximum 95 years in prison. Extradition proceedings are underway for the other two, who could each face a max of 60 years in a US cell."
> https://en.wikipedia.org/w/index.php?title=Gozi_%28Trojan_horse%29#Description

- https://krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/
Jan 23, 2013 - "... Web injects for Gozi and for customers of the ZeuS Trojan..."

- https://www.abuse.ch/?p=3294

- http://preview.tinyurl.com/audxmfh
Jan 23, 2013 - FBI.gov

- http://www.justice.gov/usao/nys/pressreleases/January13/GoziVirusPR.php
Jan 23, 2013


2013-02-06, 22:25

Bamital takedown
- http://www.symantec.com/connect/blogs/bamital-bites-dust
Feb 6, 2013 - "Today we are pleased to announce the successful takedown of the Bamital botnet. Symantec has been tracking this botnet since late 2009 and recently partnered with Microsoft to identify and shut down all known components vital to the botnet's operation. Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections. Bamital’s origin can be tracked back to late 2009 and has evolved through multiple variations over the past couple of years. Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks. From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis... Clickfraud, the name used for the type of fraud committed by Bamital, is the process of a human or automated script emulating online user behavior and clicking on online advertisements for monetary gain. Bamital redirected end users to ads and content which they did not intend to visit. It also generated non-human initiated traffic on ads and websites with the intention of getting paid by ad networks. Bamital was also responsible for redirecting users to websites peddling malware under the guise of legitimate software... Bamital is just one of many botnets that utilize clickfraud for monetary gain and to foster other cybercrime activities. Many of the attackers behind these schemes feel they are low risk as many users are unaware that their computers are being used for these activities. This takedown sends a message to those attackers that these clickfraud operations are being monitored and can be taken offline..."

- http://blogs.technet.com/b/security/archive/2013/02/06/b58-botnet-takedown-crushes-search-hijacking-and-click-fraud-scams.aspx?Redirected=true
6 Feb 2013

- http://h-online.com/-1799528
7 Feb 2013


2013-04-08, 20:57

Botnet - spreading Android trojans
- http://h-online.com/-1837356
8 April 2013 - "The Cutwail botnet, which has already been spreading the banking trojan known as Zeus, is now also trying to pass around a new Android trojan called Stels. Stels infects Android devices by pretending to be an update for Adobe Flash Player***. In case potential victims aren't on an Android device, the developers of the malware have come up with a backup plan – if the dangerous -spam- links are opened in a browser, such as Internet Explorer, on a desktop or laptop computer, users are redirected to web pages where the Blackhole exploit kit lies in wait. A security team at Dell has published a more detailed analysis* of the attack scenario..."
* http://www.secureworks.com/cyber-threat-intelligence/threats/stels-android-trojan-malware-analysis/
"The Stels malware is a multi-purpose Android Trojan horse that can harvest a victim's contact list, send and intercept SMS (text) messages, make phone calls (including calls to premium numbers), and install additional malware packages... Many of the campaigns have used the IRS as a lure** due to the March 15 corporate tax return deadline and the April 15 individual tax return filing deadline..."
** http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.stels.1.png

*** http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.stels.2.png

- http://www.f-secure.com/weblog/archives/00002539.html
April 8, 2013


2013-04-12, 22:59

WordPress Botnet from Brute Force Attacks...
- https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/
12 April 2013 - "Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers... Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today... According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations. Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress. Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms... this was the message driven home Thursday in a blog post from Houston, Texas based HostGator*, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites..."

* http://blog.hostgator.com/2013/04/11/global-wordpress-brute-force-flood/
April 11, 2013

- http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br
April 11, 2013

- https://www.us-cert.gov/ncas/current-activity/2013/04/15/WordPress-Sites-Targeted-Mass-Brute-force-Botnet-Attack
April 15, 2013

- http://atlas.arbor.net/briefs/index#-1593163055
Elevated Severity
April 15, 2013
Large-scale attacks on WordPress sites could indicate that a large botnet with high-bandwidth is being built.
Analysis: The ongoing financial sector attacks launched as part of Operation Ababil illustrate the damage that can be caused by attackers obtaining access to thousands of web-hosting servers and using them in a coordinated DDoS attack. Compared to botnets composed largely of compromised broadband-connected machines, the additional bandwidth available to most hosting providers and IDC's is attractive to attackers. There is no direct evidence that suggests exactly ultimately how these WordPress sites are intended to be used, however the methodology of attacking web platforms such as WordPress with weak passwords is very similar to the technique put into place by the actors behind Operation Ababil, who have leaned heavily upon Joomla installations to build their botnet. Strong credentials should be used proactively, and network monitoring for the Command & Control server should be put into place. Arbor customers may leverage the recent ATF policy Backdoor.WordPress.FilesMan to alert on flows involving this Command & Control server.
Additional references: http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/
- http://nakedsecurity.sophos.com/2013/04/13/wordpress-blogs-and-more-under-global-attack-check-your-passwords-now/
- http://vr-zone.com/articles/internet-security-experts-worry-of-super-botnet-attack-via-wordpress-servers/19672.html


2013-04-23, 04:25

WordPress Brute-Force attacks affect Thousands of Sites
- http://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-wordpress-attacks-affect-thousands-of-sites/
April 22, 2013 - "... large-scale brute force attack. These attacks use brute-force techniques to log into WordPress dashboards and plant malicious code onto compromised blogs and websites. It’s important to note what these attacks aren’t. They are not compromising WordPress blogs using known vulnerabilities in unpatched versions; if anything this current attack is less sophisticated than that – it merely tries to log into the default admin account with various passwords. If it is successful in logging in, it adds code for Blackhole Exploit Kit redirection pages to the blog. We have been monitoring these attacks, and we can confirm that they are indeed taking place. Because they add distinctive URLs to the blogs they have compromised, we can identify the scale of this attack... Over a one-day period, we identified more than 1,800 distinct sites that had been compromised by this attack. This represents a significant increase over the typical number of compromised WordPress sites that we encounter over the same period, highlighting the increased activity related to this particular campaign. Both users and site administrators can help mitigate threats like these. This particular attack only targeted administrator accounts that had -not- changed their default login name (admin). It is advisable that users change this to another login name of their choice. These and other steps to mitigate against this attack are outlined in WordPress’s online manual*..."
* http://codex.wordpress.org/Brute_Force_Attacks

:fear: :mad:

2013-05-20, 13:14

Pushdo: Latest Variant ...
- http://www.secureworks.com/assets/pdf-store/other/mv20.pdf
05/15/13 - "... The Pushdo botnet is a “downloader” (or loader) primarily used to download and install the Cutwail spam bot. Pushdo is also aware of the IP address and geographical location of its victims. This allows the botmasters to target specific countries/areas for infections. The malware is also known to keep track of anti-virus products and firewall processes running on the system, which can be reported back to the C&C... The author of Pushdo made the botnet more robust by adding a DGA component* as the back up C&C method. This DGA attempts to contact 1,380 domains per day. The adoption of a DGA-based backup mechanism allows the botmaster to be more resilient against take down efforts. The back up mechanism trivially defeats detection methods based on sandboxing and signatures. Within the last two years Damballa Labs noted that Zeus, TDSS/TDL and now Pushdo are all employing DGAs in some aspects of their communications. Furthermore, the inclusion of RSA cryptography ensures that defenders will not be able to use the domains created by the DGA to take control of the botnet (e.g., by pushing a removal tool). Pushdo also utilizes a fake traffic generator to hide both its own C&C traffic and Cutwail’s C&C traffic. The actual malware payload from Pushdo’s C&C is encrypted and hidden within a fake JPEG image file embedded in HTML scraped from legitimate websites. The noisy traffic generator combined with the real C&C server using a fake image file for payloads show the Pushdo botnet controller’s commitment to make identification of the real C&C servers more difficult."
* Domain name generation algorithm (DGA)

- http://www.theregister.co.uk/2013/05/17/pushdo_extra_stealth/
17 May 2013 - "... Pushdo has been used to distribute other malware such as ZeuS and SpyEye, as well as conduct spam/phishing campaigns with its Cutwail module. Despite four takedowns in five years of Pushdo command-and-control servers, the botnet (believed to be run by a single Eastern European hacker group) endures. The malware is responsible between 175,000 and 500,000 active bots on any given day. The botnet is typically used to deliver malicious emails with links to websites that foist banking Trojans upon unsuspecting victims. Sometimes, the messages are made to look like credit card statements or they contain an attachment disguised as an order confirmation..."

- https://atlas.arbor.net/briefs/index#313945818
Elevated Severity
May 16, 2013
PushDo, a long-lived malware family that is most known for distributing the Cutwail spambot, has evolved. Network defenders should be aware of the changes.
Analysis: Some of the most serious uses of the Cutwail spambot involve the distribution of spam e-mail that help spread the Zeus banking malware. Since Cutwail and PushDo are so closely related, anyone detecting either should look deeper in order to gain the full incident response picture. Various types of obfuscation and encryption are nothing new for malware - even older malware using such tactics still flies beneath the radar of most - and we see good example of such tactics in the PushDo evolution...

- https://www.trustwave.com/support/labs/spam_statistics.asp
Statistics for Week ending May 12, 2013

:mad: :fear: :fear:

2013-05-22, 19:54

The Andromeda spam botnet
- http://blog.trendmicro.com/trendlabs-security-intelligence/keeping-up-with-the-andromeda-botnet/
May 22, 2013 - "... The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives. We’re keeping track of the GAMARUE infection for the past weeks and observed some noteworthy activities. For the past 30 days, we noticed a sudden spike of its variants on May 17. In particular, there was a 82% increase from May 16 – May 17 and another 32% on May 18. A significant bulk of these malware, specifically 63%, is WORM_GAMARUE variants.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/gamarue-chart-30days-copy.jpg
... the bulk of infection came from Australia. Last year, Germany was also one of the most GAMARUE-affected countries. However, just months after my first post, we are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/Andromeda-graph-distribution-1.jpg
... the botnet is still active and poses risks to users... we concluded that during this quarter, cybercrime was characterized by old threats made new. The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new tricks. This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. GAMARUE variants are known to propagate via removable drives. It also drops component files instead of copies of itself to make detection difficult. Taking cue from threats like DUQU and KULUOZ, GAMARUE variants also uses certain APIs to inject itself to normal process to evade detection... Because some Andromeda-related spam messages eerily looks like legitimate email notification from vendors, the usual criteria for determining a spam are not sufficient..."

:mad: :sad:

2013-05-23, 22:37

ZeuS/ZBOT - Q1-2013
- http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-malware-shapes-up-in-2013/
May 23, 2013 - "... info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year... The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet. We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/05/ZBOT-2013.jpg
As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII). Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS. Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network. ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated. Both variants send DNS queries to randomized domain names. The difference in GamOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names... old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones..."

:mad::mad: :sad:

2013-06-06, 04:28

Citadel botnets shutdown
- http://www.reuters.com/article/2013/06/06/net-us-citadel-botnet-idUSBRE9541KO20130606
Jun 5, 2013 - "Microsoft Corp and the FBI, aided by authorities in more than 80 countries, have launched a major assault on one of the world's biggest cyber crime rings, believed to have stolen more than $500 million from bank accounts over the past 18 months. Microsoft said its Digital Crimes Unit on Wednesday successfully took down at least 1,000 of an estimated 1,400 malicious computer networks known as the Citadel Botnets. Citadel infected as many as 5 million PCs around the world and, according to Microsoft, was used to steal from dozens of financial institutions, including: American Express, Bank of America, Citigroup, Credit Suisse, eBay's PayPal, HSBC, JPMorgan Chase, Royal Bank of Canada and Wells Fargo. While the criminals remain at large and the authorities do not know the identities of any ringleaders, the internationally coordinated take-down dealt a significant blow to their cyber capabilities...
> http://pdf.reuters.com/pdfnews/pdfnews.asp?i=43059c3bf0e37541&u=2013_06_05_07_16_546bcd8b80e14ca5af82ac1fbe474629_PRIMARY.jpg
... According to Microsoft, Citadel was used to steal more than $500 million from banks in the United States and abroad, but the company did not specify losses at individual accounts or firms. The American Bankers Association, one of three financial industry groups that worked with Microsoft, said any success in reducing the number of active Citadel Botnets will reduce future losses incurred by banks and their customers... Of the more than 1,000 botnets that were shut down on Wednesday, Microsoft said 455 were hosted in 40 data centers in the United States. The rest were located in dozens of countries overseas. Technicians from Microsoft, accompanied by U.S. Marshals, visited two U.S. data centers in Scranton, Pennsylvania and Absecon, New Jersey to collect forensic evidence..."

- https://www.microsoft.com/en-us/news/Press/2013/Jun13/06-05DCUPR.aspx
June 5, 2013

- https://net-security.org/malware_news.php?id=2511

- http://www.symantec.com/connect/blogs/citadel-s-defenses-breached
6 Jun 2013
- https://www.symantec.com/connect/sites/default/files/users/user-1562681/Citadel_Propagation_522px.png
Charted: Citadel infections from January to June 2013

- http://h-online.com/-1884174
6 June 2013

Microsoft: 88 Percent of Citadel Botnets Down
- https://blogs.technet.com/b/microsoft_on_the_issues/archive/2013/07/25/public-private-partnerships-essential-to-fighting-cybercriminals.aspx?Redirected=true
25 Jul 2013 - "... we have been able to significantly diminish Citadel’s operation, rescue victims from the threat... According to our data, as of July 23, our coordinated action against the threat has disrupted roughly 88 percent of the Citadel botnets operating worldwide..."


2013-08-28, 14:21

Kelihos botnet: What victims can expect
- http://research.zscaler.com/2013/08/kelihos-botnet-what-victims-can-expect.html
August 27, 2013 - "There is has been a recent surge in security blogs* warning users** to be extra cautious of a new spin on an old threat. Kelihos is a botnet which utilizes P2P communication to maintain its CnC Network. With all of the attention around Kelihos, it should be no surprise that 30/45 AV vendors*** are detecting the latest installer... a now infamous iteration of this botnet installer in action. In particular, I found a file called "rasta01.exe"... the use of P2P style communication via SMTP raised an eyebrow. This particular instance called out to 159 distinct IP addresses... Secondly, we observed the overt way the botnet installs several packet capturing utilities and services. This is done so that the infection can monitor ports 21, 25, and 110 for username and password information... Next, I noticed that the botnet attempts to categorize it's new victim by using legitimate services to gather intelligence. In this instance, the malicious file actually queried the victim IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos. These services primarily exist to notify users of abuse seen on the site or IP address. Kelihos is using it to to determine if the new victim is already seen as malicious or not. If the victim isn't seen in the CBLs (Composite Block Lists) yet, then it may be used as either a Proxy C&C or Spam-bot... A final point to make about this threat is that it makes no attempt to hide exactly how loud it is regarding network activity. We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes. Network administrators should take extra care in monitoring users with anomalous levels of traffic. A single node giving off so much traffic to different services in such a small window could be used to identify potential victims."
* http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/update-on-kelihos-botnet-august-2013

** http://malwaremustdie.blogspot.com/2013/08/the-quick-report-on-48hours-in-battle.html

*** https://www.virustotal.com/en/file/7857aee14778ed2af7918fd2ca4e09660347510bc7ae2d81646202adb8a9e3b1/analysis/

:mad::mad: :fear:

2013-10-01, 00:27

Symantec sinkholes half-million in ZeroAccess Botnet
- http://www.darkreading.com/attacks-breaches/symantec-sinkholes-chunk-of-massive-clic/240162016?printer_friendly=this-page
Sep 30, 2013 - "... Symantec has intercepted and redirected more than a half-million machines infected by the pervasive click-fraud botnet ZeroAccess, one of the world's largest botnets. In a race to get one step ahead of the botnet operators, researchers at Symantec made the move to sinkhole ZeroAccess bots when they discovered the botnet's operators were about to push a new version of the malware that fixed weaknesses to allow the botnet to be intercepted and sinkholed... ZeroAccess, which typically boasts some 1.9 million bots and has been in operation since at least 2011, is second in size only to Conficker, which, although dormant, is still spreading around the globe. ZeroAccess is, however, the biggest peer-to-peer botnet, according to Symantec. P2P botnets are tougher to tame because infected machines communicate directly to one another for updates and instructions; there is no central command-and-control that can be taken down by researchers or law enforcement. Symantec began working on ways to sinkhole the botnet this spring and, on June 29, spotted a new version of ZeroAccess malware being spread through the P2P botnet. The new version included fixes for two key design flaws in the malware that, if exploited, would have made sinkholing a snap: specifically, a relatively small list of IPs a bot can communicate with, as well as internal code that left the door open for introducing a rogue IP address - such as a sinkhole - to the bot... The majority of the infected ZeroAccess bots are consumer machines, anywhere from 80 to 90 percent, and Symantec has been working with ISPs and CERTs around the world to share information about the botnet so the infected machines can be cleaned up. Symantec also shared information on ZeroAccess bots that it wasn't able to sinkhole but were communicating with ones it captured. ZeroAccess's main moneymaking method is click fraud. The ZeroAccess gang makes tens of millions of dollars a year on these scams, which basically infect unsuspecting users with the malware that generates phony clicks on false ads for payment.
Symantec tested the activity of a click-fraud bot and found that each bot generates about 257 MB of traffic every hour, some 6.1 GB a day, as well as 42 false ad clicks an hour, or 1,008 per day. A click is worth about a penny, but with 1.9 million bots, it quickly becomes lucrative, according to Symantec. ZeroAccess is a Trojan that employs a rootkit to remain under the radar. It typically spreads via compromised websites in a drive-by download attack and uses the Blackhole Exploit Toolkit, as well as the Bleeding Life Toolkit... Symantec also notes similarities between ZeroAccess and TDL, a.k.a. TDSS and Tidserv... The attackers behind ZeroAccess are out of Eastern Europe, including Russia and the Ukraine, according to Symantec. Seventy to 80 percent of them are based in Eastern Europe, and Russia... ZeroAccess also had previously been used for Bitcoin-mining, but the gang earlier this year got out of that business and doubled down on its click-fraud activities."
* http://www.symantec.com/connect/blogs/grappling-zeroaccess-botnet


2013-12-06, 03:32

Zeroaccess botnet blocked ...
- https://www.europol.europa.eu/content/notorious-botnet-infecting-2-million-computers-disrupted
5 Dec 2013 - "A rampant botnet has been successfully disrupted in a transatlantic operation involving Europol’s European Cybercrime Centre (EC3) and law enforcement cybercrime units from Germany, Latvia, Luxembourg, Switzerland and the Netherlands as well as Europol’s European Cybercrime Centre (EC3). Furthermore the operation was supported by Microsoft Corporation’s Digital Crimes Unit and other technology industry partners. The targeted botnet, known as Zeroaccess, is responsible for infecting over 2 million computers worldwide, specifically targeting search results on Google, Bing and Yahoo search engines, and is estimated to cost online advertisers US$ 2.7 million each month. Today’s action is expected to have significantly disrupted the botnet’s operation, increasing the cost and risk for the cybercriminals to continue doing business and freeing victims’ computers from the malware. The botnet worked as a Trojan horse affecting Windows operating systems so that malware could be downloaded. Microsoft filed a civil suit against the cybercriminals operating the Zeroaccess botnet, and received authorisation to simultaneously -block- incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes. Due to Germany’s initiative Europol’s European Cybercrime Centre (EC3) coordinated a multi-jurisdictional criminal action targeting 18 IP addresses located in Europe. Thanks to the efforts of EC3 and the involved agencies search warrants and seizures on computer servers associated with the fraudulent IP addresses were executed in several of the involved countries..."

- http://krebsonsecurity.com/2013/12/zeroaccess-botnet-down-but-not-out/
Dec 5, 2013 - "... The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”). In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site..."

- http://www.botnetlegalnotice.com/zeroaccess/


2013-12-07, 14:02

Suspected Active Rovnix Botnet Controller
- https://isc.sans.edu/diary.html?storyid=17180
Last Updated: 2013-12-07 03:02:54 UTC - " We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of (AS 44050). This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:
mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file. If the correct values are inputted the server will return an encrypted configuration file.
mashevserv[.]com/admin appears to be the admin console ...
> https://isc.sans.edu/diaryimages/images/mashevserv_adm_panel.PNG
• ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
• Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.
It also appears this malware has very little detection. This is all we currently have...
[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/
[4] http://www.xylibox.com/2013/10/reversible-rovnix-passwords.html ..."
Keywords: Botnet Rovnix Malware Banking Trojan

- https://www.virustotal.com/en/ip-address/

- http://google.com/safebrowsing/diagnostic?site=AS:44050

:fear::fear: :mad:

2013-12-23, 17:23

Fraudulent Bot Traffic surpasses Human Traffic ...
- http://www.darkreading.com/applications/fraudulent-bot-traffic-surpasses-human-t/240164967?printer_friendly=this-page
Dec 23, 2013 - "There was more bot-driven, fraudulent activity on the Web in the U.S. last quarter than there was human traffic, according to a report posted last week. According to Solve Media's Q3 bot report, fraudulent activity accounted for 51% of U.S. Web traffic in the third quarter - the first time it has surpassed everyday traffic generated by humans. The problem is even bigger in other regions of the globe, according to Solve Media. Estonia (83%), Singapore (79%), and China (77%) had the highest levels of fraudulent Web activity overall, according to the study. Suspicious mobile activity in the United States also increased, up from 22% in Q2 to 27%. Solve Media, which monitors bot traffic as part of its security and digital advertising services, said the growth of fraudulent traffic may change the way online advertisers and commercial organizations approach the Web..."
* http://news.solvemedia.com/post/70487101632/us-bot-traffic-q4-2013

> http://solvemedia.files.wordpress.com/2013/12/us_suspicious_traffic_q3_2013.png

- http://response.network-box.com/malware

:mad: :sad: