View Full Version : Pandemic of the Botnets 2014

2014-01-09, 00:12

ZeroAccess takedown and TDSS aftermath
- http://blog.trendmicro.com/trendlabs-security-intelligence/zeroaccess-takedown-and-the-tdss-aftermath/
Jan 8, 2014 - "Early December last year, Microsoft – in cooperation with certain law enforcement agencies – announced their takedown of the ZeroAccess operations. This development, however, also yielded an unexpected effect on another well-known botnet, in particular TDSS. ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit capability. This malware is typically downloaded from peer-to-peer (P2P) networks disguised as pirated movie titles. Similarly, TDSS is known for its rootkit technology to bypass and is noted for distributing other malware such as FAKEAV, DNS changers. Both botnets are involved in click fraud operations... certain ZeroAccess variants redirect to URLs associated with TDSS, suggesting that the two botnets share portions of their command-and-control (C&C) infrastructure. As we monitored the connection between the two botnets, we found that the number of ZeroAccess customer infections and communications significantly dropped the day after the takedown. Among those systems with ZeroAccess infections, only 2.8% attempted (but failed) to communicate with its C&C servers.
ZeroAccess activity from Nov–Dec 2013
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/Gelo-Zero-Access-Activity-01.jpg
During the same period, we observed that the click fraud operations of TDSS were noticeably affected. The number of TDSS communications related to click fraud dropped days after December 5, the date when Microsoft announced their takedown of the ZeroAccess botnet. These activities, however, suddenly picked up before the year ended, suggesting that the click fraud side of TDSS is still active and the takedown’s impact may be temporary.
TDSS click fraud activity from Nov–Dec 2013
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/Edited-TDSS-Click-Fraud-Activity-01.jpg
However, the number of TDSS infections and communications were not impacted by the takedown, which indicates that only its click fraud side was affected.
TDSS activity from Nov–Dec 2013
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/Gelo-TDSS-Activity-01.jpg
This significant decrease in TDSS click fraud operations has something to do with its connection to ZeroAccess’s own click fraud... since both botnets perform click fraud, they may have exchanged URL lists with each other to generate more money. Proof of this nefarious deal between these two notorious botnets can be seen in the redirection URLs used by ZeroAccess. When initiating click fraud, we noticed several ZeroAccess variants redirecting to URLs related to TDSS. These redirections in turn, increase the number of clicks gathered by TDSS thus creating more profit for its perpetrators. We also noticed that TDSS malware, in particular versions DGAv14 use the old ZeroAccess domain generation algorithm (DGA) module, while new ZeroAccess variants has adopted DGAv14 features. Though the ZeroAccess takedown was disruptive to TDSS money-making schemes, its infections and communications remained business-as-usual, which means the TDSS botnet is likely profiting from other botnets..."

:fear::fear: :mad:

2014-01-29, 13:33

Cross-platform java-bot
- https://www.securelist.com/en/blog/8174/A_cross_platform_java_bot
Jan 28, 2014 - "... we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465* to infect users with the malware. To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants... The bot is designed to conduct DDoS attacks from infected user machines..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2465 - 10.0 (HIGH)
Last revised: 01/08/2014

- https://net-security.org/malware_news.php?id=2693
29.01.2014 - "... the botnet formed by machines "zombified" by this particular Trojan was targeting a bulk email service."

:mad: :fear:

2014-03-06, 14:41

Top Banking Botnets...
- http://www.secureworks.com/cyber-threat-intelligence/threats/top-banking-botnets-of-2013/
3 March 2014 - "... increase represents a challenge to financial institutions and their customers. Although banks have evolved their security measures to protect online transactions from fraud, attackers quickly adapt to these countermeasures and respond with sophisticated banking botnets. Many banking trojans are used for the same purposes, although not all banking trojans are created equal. Some botnets possess sophisticated plugin-based engines, while others are primitive yet effective... banking botnets' architecture ranges from a single centralized command and control (C2) server to a decentralized peer-to-peer (P2P) network...
Botnet activity for 2013: Most banking trojan activity observed by CTU researchers in 2013 originated from the botnets listed ...
Percentage of banking malware by botnet in 2013:
> http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.banking.botnets.1.png
... attackers preferred to target commercial banks, credit unions, and other financial institutions in developed countries with sizeable populations and wealthy residents in 2013.
> http://www.secureworks.com/assets/image_store/other-jpegs/lrg.intelligence.threats.banking.botnets.2.jpg
Attackers tend to avoid countries where international transactions are more difficult and require local intervention to launder the money. Though most campaigns in 2013 focused on traditional banking websites, targets also included institutions that facilitate high-volume, high-value transactions, such as Automated Clearing House (ACH) or Single Euro Payments Area (SEPA) credit transfers. Many campaigns targeted corporate bank accounts and payroll systems... The choice of banking trojan and its capabilities depends on the financial resources available to the attacker and the level of security implementations an institution adopts. While MITB is a necessity of any banking trojan, features like redirect and backconnect allows them to control fraudulent transactions. Features like screenshots and video captures not only capture important information but enable an attacker to determine victim behavior that can be emulated during a fraudulent transaction... Conclusion: The financial fraud marketplace is an increasingly organized entity. It is a service-based industry in which a wide variety of financial trojans, webinjects, and distribution channels are bought and sold. Attackers are also reaching new markets, constantly expanding their operations to locations where they can apply existing techniques. The Middle East, Africa, and Asia are increasingly targeted. In search of maximum return, attackers are targeting high-volume and high-value transaction services, such as ACH in the U.S. and SEPA credit transfers in Europe, and there is an increased focus on recruiting money mules. In many situations, financial institutions adopted custom security solutions to protect against threats. However, many of these security implementations are -ineffective- against the modern banking trojan. Mass-distributed trojans that target large numbers of financial institutions concurrently and that leverage third-party services dedicated to circumventing security measures present a significant security threat..."
(More detail at the secureworks URL above.)

:fear::fear: :mad: :sad:

2014-05-04, 18:00

SPAM hits 3-Year High-Water Mark
- http://blogs.cisco.com/security/spam-hits-three-year-high-water-mark/
May 2, 2014 - "Takedowns of prolific spam -botnets- such as Rustock in 2011 and Grum in 2012, had a substantial effect on reducing overall global spam volumes. This, combined with diminishing returns for spammers sending via bots, had left many email recipients basking in the comfort of (mostly) clean inboxes. No doubt this downward trend in global spam volumes also saved countless dollars that would have otherwise been frittered away on phony university degrees, suspect weight loss products, and erectile dysfunction medication... Spam volumes have increased to the point that spam is now at its highest level since late 2010. Below is the graph of global spam volume as reported by Cisco SenderBase. From June 2013 to January 2014, spam was averaging between 50-100 billion messages per month, but as of March 2014 volumes were peaking above 200 billion messages per month--more than a 2X increase above normal.
> http://blogs.cisco.com/wp-content/uploads/Screen-Shot-2014-05-01-at-5.58.32-PM-550x241.png
... When spam volumes increase globally, we all notice the additional spam hitting our inbox. For example, imagine an anti-spam filter that is 99.9% effective at stopping spam. If spammers send 1000 spam messages, the filter should successfully banish about 999 of them to the spam folder, but one of the spam messages will inevitably pass through to the inbox; no filter is perfect. Now imagine that instead of sending 1000 spam messages, the spammers send 2000. The amount of spam in the inbox will have just doubled too! This is a simple example, but it illustrates the effect increased spam volumes have in the real world. While we haven’t reached the record levels of spam seen during the heyday of spamming botnets, increases in spam volumes can be problematic nonetheless. With this increase, organizations should also understand that the extra unsolicited email could obscure more threatening emails like spearphish..."

:mad: :fear:

2014-05-30, 22:25

Nemanja Botnet infected over 1,000 Payment Systems
- http://atlas.arbor.net/briefs/
High Severity
May 29, 2014
A botnet called "Nemanja" reportedly consists of at least 1,478 compromised Point-of-Sale terminals, grocery management platforms, and accounting systems worldwide.
Analysis: Compromised organizations are largely small businesses and grocery stores.
Source: http://intelcrawler.com/intel/nemanja.pdf
The Nemanja botnet has demonstrated that criminals have begun using traditional RAM scraping malware with keylogging modules, in order to gather credentials that may grant access into additional networks. Small businesses frequently present easy targets for threat actors due to insufficient security procedures. While most compromised POS terminals and accounting systems had antivirus installed, antivirus was not enough to detect the botnet. While AV can help provide indicators of some malware, scrutiny of internal logs and network monitoring by security personnel is necessary to detect possible malicious activity; in particular, traffic from sensitive POS and other financial systems should be -heavily- monitored.

:fear::fear: :mad:

2014-06-02, 18:44

US DOJ targets Gameover ZeuS Botnet, CryptoLocker scourge...
- http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge/
Jun 2, 2014 - "The U.S. Justice Department... announce today* an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes... dubbed “Operation Tovar,” began late last week and is a collaborative effort by investigators at the FBI, Europol, and the UK’s National Crime Agency; security firms CrowdStrike, Dell SecureWorks, Symantec, Trend Micro and McAfee; and academic researchers at VU University Amsterdam and Saarland University in Germany... Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine. Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts. According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers. The curators of Gameover also have reportedly loaned out sections of their botnet to vetted third-parties who have used them for a variety of purposes. One of the most popular uses of Gameover has been as a platform for seeding infected systems with CryptoLocker, a nasty strain of malware that locks your most precious files with strong encryption until you pay a ransom demand..."
> http://krebsonsecurity.com/wp-content/uploads/2014/06/zeusp2p-abuse.png

* http://www.justice.gov/opa/gameover-zeus.html
June 2, 2014

- http://www.fbi.gov/news/pressrel/press-releases/u.s.-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomeware-charges-botnet-administrator
June 2, 2014

- https://www.us-cert.gov/ncas/alerts/TA14-150A
June 02, 2014

- http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network
Updated: 02 Jun 2014
Removal Tool: http://www.symantec.com/security_response/writeup.jsp?docid=2014-052915-1402-99

- http://www.secureworks.com/resources/blog/research/operation-tovar-dell-secureworks-contributes-to-efforts-targeting-gameover-zeus-and-cryptolocker/
June 2, 2014

- http://blogs.mcafee.com/mcafee-labs/game-zeus-cryptolocker
June 2, 2014
Removal tool: http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx

- http://www.reuters.com/article/2014/06/02/us-cybersecurity-zeus-idUSKBN0ED27F20140602
Jun 2, 2014

:fear: :spider:

2014-06-04, 14:08

Global malware server distruption - the window ...
- http://www.theinquirer.net/inquirer/news/2347808/national-crime-agency-warns-about-botnet-epidemic
Jun 03 2014 - "... It is estimated that 15,000 machines in the UK have already been infected out of the one million worldwide, and internet service providers (ISPs) have said that they will be writing to customers that they believe have been affected. However, it has been around for some time, and we reported back in March how hackers had been using the malware to target users of Monster .com. Gameover Zeus (GOZ), sometimes known as P2P Zeus or GO Zeus, is a relative of the ransomware known as Cryptolocker... The NCA has worked on a global initiative* to put procedures in place that disrupt information flow between victim machines and servers. However, the Stay Safe Online website has been experienced issues, with the website crashing for some users. At time of writing it has been partially restored but appears to be struggling under the weight of traffic... Users are advised to backup all valuable data, avoid shonky looking email attachments and ensure anti-malware packages are up to date. As important, however, is the need to pass on information about the threat in order to ensure that as many people are protected during the window created by the global malware server distruption."
* http://www.us-cert.gov/ncas/alerts/TA14-150A

- http://myonlinesecurity.co.uk/gameover-zeus-p2p-zeus-botnet-temporarily-taken/
4 June 2014 - "... it is expected for the bad guys to regroup and recreate the C&C network using new servers and ISPs. While the C&C is down, it is much easier for an antivirus to clean an infected computer, because it isn’t continually receiving instructions to download new malware or send any spam or malicious emails. As soon as the C& C is re-established , any infected computer will start immediately to receive instructions & start sending spam & malware again..."

- https://www.computerworld.com/s/article/9248872/Massive_botnet_takedown_stops_spread_of_Cryptolocker_ransomware
June 5, 2014 - "The takedown earlier this week of a major malware-spewing botnet has crippled the distribution of Cryptolocker... But replacements already stand in the wings, prepared to take Cryptolocker's place... while Cryptolocker's infection pipeline has been crippled, other rival ransomware gangs are ready to fill in... Cryptodefense and Cryptowall as two such copycats. Both have been in circulation since late last year, months after researchers discovered Cryptolocker...
New infections of the Cryptolocker ransomware:
> https://www.computerworld.com/common/images/site/features/2014/06/Infections%20daily%20-%20Cryptolocker.jpg
... While Gameover Zeus is suppressed, consumers and businesses should make use of the time to wipe the malware from infected machines and secure their PCs by updating their operating systems and applications, and ensuring the systems are protected by security software..."


2014-06-10, 12:37

Unique Gameover Zeus Infected IPs per day...
- https://goz.shadowserver.org/stats/

- http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/
June 8, 2014

[Added June 13, 2014]
... You can check if your computer is infected with Gameover Zeus by visiting this page:
- https://goz.shadowserver.org/gozcheck/


2014-06-18, 14:25

Asprox Botnet campaign spreads Court Dates and Malware
- http://www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html
June 16, 2014 - "Executive Summary: FireEye Labs has been tracking a recent spike in malicious email detections that we attribute to a campaign that began in 2013. While malicious email campaigns are nothing new, this one is significant in that we are observing mass-targeting attackers adopting the malware evasion methods pioneered by the stealthier APT attackers. And this is certainly a high-volume business, with anywhere from a few hundred to ten thousand malicious emails sent daily – usually distributing between 50 and 500,000 emails per outbreak... In late 2013, malware labeled as Kuluoz, the specific spam component of the Asprox botnet, was discovered to be the main payload of what would become the first malicious email campaign. Since then, the threat actors have continuously tweaked the malware by changing its hardcoded strings, remote access commands, and encryption keys. Previously, Asprox malicious email campaigns targeted various industries in multiple countries and included a URL link in the body. The current version of Asprox includes a simple zipped email attachment that contains the malicious payload “exe”...
Overall Asprox Botnet tracking:
> http://www.fireeye.com/blog/wp-content/uploads/2014/06/fig5.png
... Conclusion: The data reveals that each of the Asprox botnet’s malicious email campaigns changes its method of luring victims and C2 domains, as well as the technical details on monthly intervals. And, with each new improvement, it becomes more difficult for traditional security methods to detect certain types of malware..."
(More detail at the fireeye URL above.)

:mad: :fear::fear:

2014-07-09, 15:38

Facebook kills Lecpetex botnet ...
- https://www.computerworld.com/s/article/9249616/Facebook_kills_Lecpetex_botnet_which_hit_250K_computers
July 8, 2014 - "Facebook said* police in Greece made two arrests last week in connection with a little-known spamming botnet called "Lecpetex," which used hacked computers to mine the Litecoin virtual currency. As many as 50,000 Facebook accounts were affected, and as many as 250,000 computers worldwide, primarily in Greece, Poland, Norway, India, Portugal and the U.S., according to a blog post* on Tuesday from Facebook's Threat Infrastructure team. The social networking site described the difficulties in shutting down the botnet, whose creators taunted Facebook through messages left on servers that were part of its network. Those behind Lecpetex launched at least 20 spam campaigns between December 2013 and last month, affecting Facebook and other online services. Some of the victims received private messages containing a ".zip" attachment containing a Java JAR file or Visual Basic script. Those files, if executed, would then retrieve other malware modules stored on remote sites. The modules were either DarkComet, a widely used remote access tool that can harvest login credentials, or variants of software that mines the virtual currency Litecoin, the team wrote. By frequently refreshing and changing the malicious attachments, Lecpetex defeated Facebook's filters designed to stop such malware from being distributed. The malware would also automatically update itself to evade antivirus products... Facebook said it reached out to other infrastructure providers and law enforcement when it realized security software wasn't alone going to foil Lecpetex..."
* https://www.facebook.com/notes/protect-the-graph/taking-down-the-lecpetex-botnet/1477464749160338

Cyber Armies Brute Force POS Systems
- http://intelcrawler.com/news-21
July 8, 2014 - "... identified a malicious automated network that targets Point-of-Sale software using infected computers from around the world. The underground bot army, using the project name “@-Brt”, is using thousands of peaceful and unsuspecting infected users to brute force Point-of-Sales systems in an attempt to steal login credentials. This increased trend during the past two months has been in a stealth mode since the bot activities have successfully slide under the radar of both the end user and the targeted merchants. Previous threat intelligence notifications by IntelCrawler confirmed that the interest of cybercriminals to offline and online (cloud-based / SaaS) Point-of-Sales has increased significantly of late as the use of automation and -bots- increases their chances of finding another gold mine like Target...
Administrative Interface of “@-Brt” project:
> http://intelcrawler.com/images/7c268ee5220dca4b4c0c32104a426c7e.jpg
... The “@-Brt” project was released in May 2014 in the underground as a specific type of malware for brute forcing the Point-of-Sale credentials, using collected indicators like subnet IP ranges and commonly used operators, supervisor, and back office administrator logins, some of which are default manufactures passwords for famous Point-of-Sale equipment, as conveniently described in the official technical documentation from particular vendors... The bad actors distribution of the “@-Brt” botnet allows for active scanning of multiple IPv4 network ranges of specific TCP ports and parallel brute forcing of available remote administration protocols such as VNC, Microsoft RDP and PCAnywhere. The identified malware supports multithreading, which allows to speed-up the process of gaining unauthorized access to merchants for further data theft. IntelCrawler has also detected within the bot the concentration of some compromised merchants and the massive IPv4 scanning in network ranges of famous US Internet Service Providers such as AT&T Internet Services, Sonic.net and SoftLayer Technologies. There are several modifications of the “@-Brt” project, supported by several cybercriminals, using a bit different approaches to parallelism, potentially written by different authors for speed and timeouts optimization. After monitoring and infiltrating the bot network, IntelCrawler’s analysts have figured out the most commonly used passwords for compromised Point-of-Sale terminals and geographical distribution of the infected hosts for cyberattacks.
> http://intelcrawler.com/images/98dae80a700d4aaf87ead1c12a80ab99.jpg
Passwords distribution showed leaders with very low entropy – “aloha12345” (13%), “micros” (10%), pos12345 (8%), “posadmin” (7%) and “javapos” (6.30%). IntelCrawler recommends to strengthen passwords used for POS terminals, as well as to monitor suspicious incoming network traffic from the following countries:
> http://intelcrawler.com/images/1828bfa79e3b5854de4ee4f9c16a2aad.jpg "

- http://www.fireeye.com/blog/technical/botnet-activities-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html
July 9, 2014 - "... we found five C2 servers used by the BrutPOS botnet. Three of these servers are located on the same network in Russia; one of them is located in Iran. Only two of these servers remain active at this time... Russia THEFIRST-NET Active https://www.virustotal.com/en/ip-address/ Russia THEFIRST-NET Active https://www.virustotal.com/en/ip-address/ ..."

:fear: :mad:

2014-07-18, 14:49

Gameover Zeus Variant Resumes Activity
- https://atlas.arbor.net/briefs/index#170748218
17 Jul 2014
A new variant based on the GameOver Zeus Trojan has been identified distributing spam.
Analysis: While the original GameOver Zeus was taken down by law enforcement last month, this new variant suggests that cyber criminals will continue to leverage this malware. Past law enforcement operations on active botnets, while temporarily successful, have done little to fully disrupt malicious activity, as criminals frequently find new available malware and tools. [ http://blog.malcovery.com/blog/breaking-gameover-zeus-returns , http://nakedsecurity.sophos.com/2014/07/13/gameover-malware-returns-from-the-dead/ ]

- http://www.secureworks.com/resources/blog/research/gameover-zeus-re-emerges-without-peer-to-peer-capability/
July 11, 2014

- https://www.virustotal.com/en-gb/file/3ff49706e78067613aa1dcf0174968963b17f15e9a6bc54396a9f233d382d0e6/analysis/#comments

:mad: :fear:

2014-09-08, 20:42

Citadel botnet - Zeus descendent ...
- https://www.virusbtn.com/virusbulletin/archive/2014/09/vb201409-Citadel-1#id3373382
2014-09-02 - "Cybercrime is increasing because it is a lucrative business. In turn, this has led to a growth in crimeware services as well as automated exploitation and malware infection frameworks [1]. Botnets play a crucial role in that growth, with successful botnets containing large numbers (sometimes millions) of infected computers. Amassing such a large network of bots requires automation, and browser exploit packs (BEPs) have become the primary tool for automating the browser exploitation process. Drive-by download attacks drive users to BEPs, which then infect the users’ computers. In 2008, Provos et al. collected approximately three million malicious URLs hosting BEPs, accounting for 1.3% of all first-page Google search query results over a period of 10 months. Vulnerable browsers are -exploited- and malicious payloads are -executed- with droppers downloaded onto victims’ systems. The droppers then extract the bots and install them silently. Botnets like Zeus (or Zbot) have redefined cybercrime because of their skilled design and ability to target online financial and banking institutions..."
1] http://www.sciencedirect.com/science/article/pii/S1874548213000036

:mad: :fear: :mad: