Pandemic of the botnets 2010
FYI...
Conficker worm - Akamai report
- http://www.computerworld.com/s/artic...y_Akamai_says?
January 15, 2010 - "Variants of the Conficker worm were still active and spreading* during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies... During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer. Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent..."
* http://www.confickerworkinggroup.org...Tracking#toc12
Conficker Working Group
- http://www.confickerworkinggroup.org/wiki/
> http://www.team-cymru.org/Monitoring/Graphs/
- http://blog.trendmicro.com/where-in-...wnadconficker/
Jan 26, 2010
:fear::mad:
Pushdo DDoS'ing or Blending In?
FYI...
Pushdo DDoS'ing or Blending In?
- http://www.shadowserver.org/wiki/pmw...endar/20100129
29 January 2010 - "Is your site on the list we have posted here* or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses... it seems the Pushdo** botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites..."
* http://www.shadowserver.org/wiki/upl...shdo_sites.txt
** http://www.secureworks.com/research/threats/pushdo/
>>> (More detail at the Shadowserver URL above.)
(Hundreds) under bizarre SSL assault
- http://www.theregister.co.uk/2010/01...sl_web_attack/
29 January 2010 20:55 GMT
- http://isc.sans.org/diary.html?storyid=8125
Last Updated: 2010-01-30 11:09:16 UTC
- http://www.m86security.com/labs/i/Ma...race.1230~.asp
January 26, 2010
- http://www.darkreading.com/shared/pr...leID=222600679
Feb. 1, 2010
- http://isc.sans.org/diary.html?storyid=8131
Last Updated: 2010-02-02 15:57:18 UTC
:mad::fear::confused:
Russian botnet tries to kill rival
FYI...
Russian botnet tries to kill rival
- http://www.computerworld.com/s/artic...to_kill_rival?
February 9, 2010 - "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses. Trojans such as Zeus and Spy Eye steal online banking credentials..."
- http://www.theregister.co.uk/2010/02..._bots_vs_zeus/
9 February 2010
:fear:
ZeuS infections rampant...
FYI...
ZeuS infects nearly 2,500 companies...
- http://online.wsj.com/article/SB1000...834150536.html
FEBRUARY 17, 2010 - "Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach... Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found. In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email. They also broke into computers at 10 U.S. government agencies... The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form... Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught...There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military..."
- http://www.theregister.co.uk/2010/02...e_hack_attack/
18th February 2010 - "... The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies... The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac..."
:fear::mad::fear:
Zeus botnet C&C - partial takedown
FYI...
Zeus botnet C&C - partial takedown
- http://www.theregister.co.uk/2010/03...zeus_takedown/
10 March 2010 - "At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations. The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known as Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus. Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses. The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP's customers, law-abiding or otherwise, were immediately unable to connect to the outside world..."
- http://www.krebsonsecurity.com/2010/...ocked-offline/
March 10, 2010 - "... Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet..."
- http://www.abuse.ch/?p=2417
March 11, 2010 - "... now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia..."
*** UPDATE 2010-03-11 21:30 (UTC) - "Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increased from 149 -up- to 191..."
*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline)...
- http://www.google.com/safebrowsing/d...?site=AS:25189
AS:25189
- http://stopbadware.org/reports/asn/25189
AS:8342
- http://stopbadware.org/reports/asn/8342
- http://www.google.com/safebrowsing/d...c?site=AS:8342
"... 1229 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2010-03-12... 52 site(s) on this network... appeared to function as intermediaries for the infection of 199 other site(s)... 78 site(s)... that infected 1594 other site(s)..."
- http://www.cio.com/article/572813/Af...yak_Resurfaces
:fear:
Pushdo cracks captchas at MS Hotmail/Live.com/MSN webmail
FYI...
Pushdo cracks captchas at MS Hotmail/Live.com/MSN webmail
- http://blog.webroot.com/2010/03/22/p...udio-captchas/
March 22, 2010 - "A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft’s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages. The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It’s spamming through the Hotmail/Live.com Web mail interface... during the course of the spam sessions, the spy apparently pulls down “audio captchas” and successfully sends back the correct response, which permits it to continue spamming... The spam emails themselves are short, written by someone who doesn’t have a strong grasp of English grammar..."
(Screenshots available at the URL above.)
:mad::fear: