View Full Version : Pandemic of the Botnets 2015

2015-02-26, 03:19

NCCU/Europol shuts down RAMNIT Botnet
- http://www.pcmag.com/article2/0,2817,2477392,00.asp
Feb 25, 2015 - "... In partnership with Europol and local law enforcement units in The Netherlands, Italy, and Germany, the National Cyber Crime Unit (NCUU) shut down command and control servers used by a network of infected computers. The botnet, named RAMNIT, spread malware through what appeared to be trustworthy links sent via phishing emails or social networking sites. One click of the seemingly harmless URL by Windows users, and the malware would be installed. Computers would then be under the control of criminals, allowing the hackers to access personal information, steal passwords, and disable antivirus protection... National Crime Agency investigators believe RAMNIT could have contaminated more than 3 million computers worldwide — 33,000 of which are in the U.K. According to the collected data, the botnet has, so far, been used mostly to siphon money from bank accounts. Microsoft knew something was up when it noticed a spike in computer infections. The company alerted Europol, which teamed up with the Joint Cybercrime Action Taskforce (J-CAT) to take down RAMNIT. Launched in the fall as a six-month pilot program, the J-CAT taskforce will continue its efforts to combat cyber crime, working with agencies across Europe, Canada, and the U.S. to share intelligence..."

- http://nca.police.uk/news/news-listings/555-warning-over-computer-attack-as-nca-leads-operation-to-take-down-servers
Feb 25, 2015 - "... The NCA is now advising people to check whether their computer has been infected by downloading specialist disinfection software, which is available free of charge at CyberStreetWise* or GetSafeOnline**. The disinfection tools will identify whether a computer has been infected and, if so, disinfect it. The tool will cause no harm if used on computers that have not been infected. Those whose computers have been affected should then change passwords on banking, email, social media and other potentially sensitive online accounts..."

* https://www.cyberstreetwise.com/blog/nca-urges-public-check-malware-after-operation

** https://www.getsafeonline.org/news/ramnit/

- http://www.symantec.com/connect/blogs/ramnit-cybercrime-group-hit-major-law-enforcement-operation
25 Feb 2015

Ramnit infections by region:
- http://www.symantec.com/connect/sites/default/files/users/user-2935611/3730198_Ramnit_Locations.png


2015-04-10, 14:08

'Beebone' botnet takedown
- http://arstechnica.com/security/2015/04/us-european-police-take-down-highly-elusive-botnet-known-as-beebone/
Apr 9, 2015 - "US and European police have shut down a botnet that provided a captive audience of backdoored PCs to criminals who were looking for an easy way to quickly install malware on large numbers of computers. The takedown of the Beebone botnet is something of a coup because the underlying malware was so resistant to detection. Polymorphic downloader software at the heart of the malicious program updated itself as many as 19 times a day. Beebone also relied on a pair of programs that re-downloaded each other, acting as an insurance policy should one of them be removed, authorities told the Associated Press*. "From a techie's perspective, they made it as difficult as they possibly could for us," a Europol advisory told the news organization. The takedown was a joint operation that involved the US FBI, Europol's European Cybercrime Center, and private security groups including Kaspersky Lab, Shadowserver, and McAfee. According to Europol, initial figures showed that Beebone had infected about 12,000 computers. That's a relatively small number since some botnets commandeer millions of end-user devices. Officials said there are likely many more Beebone victims. There are more than five million unique samples of the underlying downloader worm, known as W32/Worm-AAEH, with more than 205,000 samples taken from 23,000 systems in 2013 and 2014. The infected computers are spread across more than 195 countries, with the US reporting the biggest number of compromises, followed by Japan, India, and Taiwan. Infections were also hard to eradicate because the malware blocked connections to antivirus websites. The takedown was carried out by "sinkholing" the Beebone command-and-control network. Sinkholing is the process of seizing all domain names and IP addresses used to centrally control the infected machines. The whitehats performing the takedown set up their own command channel that prevented the computers from downloading malware updates or participating in any other botnet activities. To be fully free of the Beebone menace, infected computers still must be disinfected using AV software or, better yet, by having their hard drives wiped and operating systems reinstalled. Authorities are in the process of contacting Internet service providers and computer emergency response teams around the world to help identify and contact individual victims..."
* http://www.nytimes.com/aponline/2015/04/09/world/europe/ap-eu-europol-cybercrime.html
Apr 9, 2015

- http://www.symantec.com/connect/app#!/blogs/coordinated-takedown-disrupts-changeup-malware-distribution-network
09 Apr 2015

- https://www.europol.europa.eu/content/international-police-operation-targets-polymorphic-beebone-botnet
9 April 2015

SIMDA: (Another) Botnet Takedown
- http://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/
Apr 12, 2015 - "... the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics... it modifies HOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites..."
Modified HOSTS file:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/04/SIMDA_host_file.png
(More detail at TrendMicro...)


2015-04-15, 18:35

Simda botnet takedown - 770,000 PCs worldwide affected
The Simda botnet that menaced 190 countries is no more.
- http://arstechnica.com/security/2015/04/botnet-that-enslaved-770000-pcs-worldwide-comes-crashing-down/
Apr 13, 2015 - "Law enforcement groups and private security companies around the world said they have taken down a botnet that enslaved more than 770,000 computers in 190 countries, stealing owners' banking credentials and establishing a backdoor to install still more malware. Simda, as the botnet was known, infected an additional 128,000 new computers each month over the past half year, a testament to the stealth of the underlying backdoor trojan and the organization of its creators. The backdoor morphed into a new, undetectable form every few hours, allowing it to stay one step ahead of many antivirus programs. Botnet operators used a variety of methods to infect targets, including exploiting known vulnerabilities in software such as Oracle Java, Adobe Flash, and Microsoft Silverlight. The exploits were stitched into websites by exploiting SQL injection vulnerabilities and exploit kits such as Blackhole and Styx. Other methods included sending spam and other forms of social engineering. Countries most affected by Simda included the US, with 22 percent of the infections, followed by the UK, Turkey with five percent, and Canada and Russia with four percent. The malware modified the HOSTS file Microsoft Windows machines use to map specific domain names to specific IP addresses. As a result, infected computers that attempted to visit addresses such as connect. facebook. net or google-analytics .com were surreptitiously diverted to servers under the control of the attackers. Often the booby-trapped HOSTS file remains even after the Simda backdoor has been removed. Security researchers advised anyone who may have been infected to inspect their HOSTS file, which is typically located in the directory %SYSTEM32%\drivers\etc\hosts. People who want to discover if they have been infected by Simda can check this page* provided by AV provider Kaspersky Lab. The page is effective as long as a person's IP address hasn't changed from when the infection was detected. The takedown involved the seizing of 14 command-and-control servers that were located n the Netherlands, US, Luxembourg, Poland, and Russia. The highly coordinated takedown occurred simultaneously all over the world last Thursday and Friday and was organized by the Interpol Global Complex for Innovation in Singapore. It included officers from the Dutch National High Tech Crime Unit, the US FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K." INTERPOL also worked with Microsoft, Kaspersky Lab, Trend Micro, and Japan’s Cyber Defense Institute for technical assistance..."
* https://checkip.kaspersky.com/

- http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx
12 Apr 2015

- https://www.us-cert.gov/ncas/alerts/TA15-105A
April 15, 2015

Verizon 2015 Data Breach Investigations Report ...
- http://news.verizonenterprise.com/2015/04/2015-verizon-dbir-report-security/
April 15, 2015 - "... According to this year’s report, the bulk of the cyberattacks (70 percent) use a combination of these techniques and involve a secondary victim, adding complexity to a breach. Another troubling area singled out in this year’s report is that many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007 — a gap of almost eight years. As in prior reports, this year’s findings again pointed out what Verizon researchers call the “detection deficit” — the time that elapses between a breach occurring until it’s discovered. Sadly, in 60 percent of breaches, attackers are able to compromise an organization within minutes. Yet the report points out that many cyberattacks could be prevented through a more vigilant approach to cybersecurity... in general, mobile threats are overblown. In addition, the overall number of exploited security vulnerabilities across all mobile platforms is negligible. While machine-to-machine security breaches were not covered in the 2014 report, the 2015 report examines incidents in which connected devices are used as an entry point to compromise other systems. The report also examines the co-opting of IoT devices into botnets — a network of private computers infected with malicious software and controlled without the owners’ knowledge — for denial-of-service attacks. This data reaffirms the need for organizations to make security a high priority when rolling out next-generation intelligent devices... Verizon security researchers explained that the bulk (96 percent) of the nearly 80,000 security incidents analyzed this year can be traced to nine basic attack patterns that vary from industry to industry... As identified in the 2014 DBIR, the nine threat patterns are: miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial-of-service attacks, cyberespionage; point-of-sale intrusions and payment card skimmers. This year’s report found that 83 percent of security incidents by industry involve the top three threat patterns, up from 76 percent in 2014... This year’s report is packed with detailed information and improvement recommendations based on seven common themes:
• The need for increased vigilance.
• Make people your first line of defense.
• Only keep data on a need-to-know basis.
• Patch promptly.
• Encrypt sensitive data.
• Use two-factor authentication.
• Don’t forget physical security..."
Full Report (PDF):
- http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015_en_xg.pdf

- https://atlas.arbor.net/briefs/index#733050452
Apr 16, 2015


2015-06-28, 04:17

Major cybercrime ring dismantled by Europol
- https://www.europol.europa.eu/content/major-cybercrime-ring-dismantled-joint-investigation-team
25 June 2015 - "A joint investigation team (JIT) consisting of investigators and judicial authorities from six different European countries, supported by Europol and Eurojust, has taken down a major cybercriminal group during a coordinated action in Ukraine. With on-the-spot support from Europol, Austrian and Belgian law enforcement and judicial authorities, the action in Ukraine on 18 and 19 June resulted in the arrest of five suspects, eight house searches in four different cities, and the seizure of computer equipment and other devices for further forensic examination. The aim of this JIT was to target high-level cybercriminals and their accomplices who are suspected of developing, exploiting and distributing Zeus and SpyEye malware - two well-known banking Trojans - as well as channelling and cashing-out the proceeds of their crimes. The cybercriminals used malware to attack online banking systems in Europe and beyond, adapting their sophisticated banking Trojans over time to defeat the security measures implemented by the banks. Each cybercriminal had their speciality and the group was involved in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks. On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities. This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks. The damage produced by the group is estimated to be at least EUR 2 million.
"In one of the most significant operations coordinated by the agency in recent years Europol worked with an international team of investigators to bring down a very destructive cybercriminal group. With our international partners, we are committed to fighting the threats brought about by malware and other forms of cybercrime, to realise safer technology infrastructures and online financial transactions for businesses and people the world over," said Rob Wainwright, Director of Europol. "This case demonstrates that it is only possible to combat cybercrime in a successful and sustainable way if all actors-that means investigative judges and judicial authorities- coordinate and cooperate across the borders.’’ Ingrid Maschl-Clausen, National Member of Austria to Eurojust, commented at a press conference in Vienna.
The recent action was part of the wider investigation that was launched in 2013 by the JIT members (Austria, Belgium, Finland, the Netherlands, Norway and the United Kingdom), and facilitated by Europol and Eurojust Last week’s results brings the total number of arrests in this operation to 60 – 34 who were captured as part of a ‘money mule’ operation run by Dutch law enforcement authorities.
Europol has provided crucial support to the investigation since 2013 including handling and analysis of terabytes of data, and thousands of files in the Europol Malware Analysis System; handling of thousands sensitive operational messages; production of intelligence analysis reports; forensic examination of devices; organisation of operational meetings and bi-monthly international conference calls. The enormous amount of data that was collected and processed during the investigation will now be used to trace the cybercriminals still at large... Eurojust hosted coordination meetings, bringing the judicial authorities and investigative judges together. Moreover, Eurojust provided legal advice, and assisted with the drafting of the Joint Investigation Team Agreement, as well as supported the joint investigation team during the lifetime of the entire process. Eurojust also enabled contacts at judicial level between non-EU Member States, in particular with Ukraine. Several action days took place during the course of the long-running investigation, which resulted in significant operational successes in Belgium, Estonia, Finland, Latvia, the Netherlands and Ukraine. Such results were possible thanks to intense cooperation between the JIT and law enforcement and judicial partners in Estonia, Latvia, Germany, Moldova, Poland, Ukraine and the US."


2015-07-15, 17:29

Darkode Hacking Forum dismantled
- http://www.justice.gov/opa/pr/major-computer-hacking-forum-dismantled
July 15, 2015 - "The computer hacking forum known as Darkode was dismantled, and criminal charges have been filed in the Western District of Pennsylvania and elsewhere against 12 individuals associated with the forum, announced Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney David J. Hickton of the Western District of Pennsylvania and Deputy Director Mark F. Giuliano of the FBI. “Hackers and those who profit from stolen information use underground Internet forums to evade law enforcement and target innocent people around the world,” said Assistant Attorney General Caldwell. “This operation is a great example of what international law enforcement can accomplish when we work closely together to neutralize a global cybercrime marketplace. Of the roughly 800 criminal internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world,” said U.S. Attorney Hickton. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable. This is a milestone in our efforts to shut down criminals’ ability to buy, sell, and trade malware, botnets and personally identifiable information used to steal from U.S. citizens and individuals around the world,” said Deputy Director Giuliano. “Cyber criminals should not have a safe haven to shop for the tools of their trade and Operation Shrouded Horizon shows we will do all we can to disrupt their unlawful activities.” As alleged in the charging documents, Darkode was an online, password-protected forum in which hackers and other cyber-criminals convened to buy, sell, trade and share information, ideas, and tools to facilitate unlawful intrusions on others’ computers and electronic devices. Before becoming a member of Darkode, prospective members were allegedly vetted through a process in which an existing member invited a prospective member to the forum for the purpose of presenting the skills or products that he or she could bring to the group.
Darkode members allegedly used each other’s skills and products to infect computers and electronic devices of victims around the world with malware and, thereby gain access to, and control over, those devices. The takedown of the forum and the charges announced today are the result of the FBI’s infiltration, as part of Operation Shrouded Horizon, of the Darkode’s membership. The investigation of the Darkode forum is ongoing, and the U.S. Attorney’s Office of the Western District of Pennsylvania is taking a leadership role in conjunction with the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS). The charges announced today are part of a coordinated effort by a coalition of law enforcement authorities from 20 nations to charge, arrest or search 70 Darkode members and associates around the world. The nations comprising the coalition include Australia, Bosnia and Herzegovina, Brazil, Canada, Colombia, Costa Rica, Cyprus, Croatia, Denmark, Finland, Germany, Israel, Latvia, Macedonia, Nigeria, Romania, Serbia, Sweden, the United Kingdom and the United States. Today’s actions represent the largest coordinated international law enforcement effort ever directed at an online cyber-criminal forum..."

- http://arstechnica.com/security/2015/07/dozens-arrested-in-international-crackdown-on-darkode-crime-forum/
July 14, 2015

- http://www.reuters.com/article/2015/07/15/cybersecurity-usa-darkode-idUSL2N0ZV11R20150715
July 15, 2015 - "... Those charged are accused of crimes including conspiring to commit computer fraud, wire fraud and money laundering, selling and using malware programs that could steal data from computers and cellphones and using "bot" networks to take over computers and send spam email."