TT-Bot + ZeuS + BlackEnergy botnets...
FYI...
TT-Bot DDoS Bot Analysis
- http://asert.arbornetworks.com/2010/...-bot-analysis/
April 1, 2010 - "We recently spotted this family in our malware zoo, another HTTP DDoS bot. This one’s identifying mark is the string “User-Agent: TT-Bot 1.0.0″ in the client requests. We do not know if this is a kit, this one appears to be in limited use. We have not explored the server-side of it... Static analysis suggests that the code is written in MS VB 6... At this time this botnet is still live and issuing commands. We do not know how big this botnet is."
ZeuS banking trojan botnet
- http://www.secureworks.com/research/threats/zeus/
March 11, 2010 - "... ZeuS is a well-known banking Trojan horse program, also known as crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored... ZeuS has evolved over time and includes a full arsenal of information stealing capabilities... observed other ZeuS databases for sale on various underground black markets. Their size is typically over 10GB, which is a botnet of approximately 23,000 infected computers (bots)... "
BlackEnergy botnet
- http://www.forbes.com/2010/03/03/cyb...nks_print.html
03.03.10 - "... Secureworks issued a report describing a new cybercriminal group that aims a one-two punch at banks. First it collects banking customers' passwords using a variation of the so-called BlackEnergy software, which has infected thousands of computers worldwide to create a "botnet" of hijacked machines. The machines use the collected passwords to move funds into the hackers' accounts, and then typically delete files from the user's computer to cover their tracks. But what follows that fraud is an unlikely step: a cyberattack known as a "distributed denial-of-service," using a flood of data requests from the infected computers to take down the company's online banking service. "The same botnet that's being used to steal money from banks is launching these denial-of-service attacks on them," says Secureworks* researcher Joe Stewart..."
* http://www.secureworks.com/research/.../blackenergy2/
March 3, 2010 - "BlackEnergy, a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used in the cyber attacks launched against the country of Georgia in the Russia/Georgia conflict. BlackEnergy was authored by a Russian hacker. A comprehensive analysis* of the version of BlackEnergy circulating at the time was done in 2007 by Arbor Networks... There is no distinct antivirus trojan family name that corresponds to the BE2 dropper or rootkit driver. Antivirus engines that detect it either label it with a generic name, or as another trojan - most often it is mis-identified as "Rustock.E", another rootkit trojan from a different malware family. The BlackEnergy rootkit does share some techniques in common with the Rustock rootkit..."
* http://atlas-public.ec2.arbor.net/do...t+Analysis.pdf
"... HTTP-based botnet used primarily for DDoS attacks..."
- http://blogs.forbes.com/firewall/201...t-malware-now/
March 30, 2010
:mad::fear::mad::sad:
Koobface spreads on Facebook and Twitter
FYI...
Koobface spreads on Facebook and Twitter
- http://www.theregister.co.uk/2010/04...face_takedown/
23 April 2010 - "Security experts in Hong Kong last week succeeded in taking down a key component of the Koobface botnet, only to witness the system popping up in China. The Koobface FTP grabber component uploaded stolen FTP user names and passwords to the remote server, which was under the control of cybercrooks... In response, the Koobface gang moved their server to a hosting firm in China. Last month the command and control servers associated with Koobface underwent a complete refresh... Koobface spreads via messages on social networking sites like Facebook and Twitter. Cybercrooks behind the sophisticated malware make their money by distributing scareware packages onto compromised machines, and by other cyberscams, including information harvesting. The worm gets less press than the malware associated with the Google China attacks or the high-profile Conficker worm, though experts consider it both more sophisticated and a bigger security threat..."
* http://blog.trendmicro.com/koobface-...ting-to-china/
:mad:
ZeuS/ZBOT tries out file infection
FYI...
ZeuS/ZBOT tries out file infection
- http://blog.trendmicro.com/zeuszbot-...ile-infection/
Apr. 27, 2010 - "ZeuS/ZBOT is best known for its information-stealing routines via the use of configuration files downloaded from their home sites... Cybercriminals have thus tried utilizing drive-by downloads, spammed messages, worm propagation, and many more ways. This time, they are trying out file infection. The malware detected by Trend Micro as PE_ZBOT.A injects code into target files and modifies its entry point to redirect to its code. This allows the malware to run its code whenever the infected file is executed. It then attempts to connect to the remote sites from which it downloads and executes malicious files that allow it to steal information from an affected system. The downloaded files are detected as TROJ_KRAP.SMDA and TSPY_ZBOT.SMAP. Once it completes its routine, it returns control of the affected system to its host file. This only shows that cybercriminals are continuously finding new ways to make sure they do not go out of business. The best way to protect one’s system is to be aware of the many techniques cybercriminals use and to keep security solutions and other pertinent applications patched and up-to-date."
:fear::mad:
Botnets battle for digital real estate
FYI...
Botnets battle for digital real estate
- http://www.fortinet.com/press_releases/100503.html
May 3, 2010 - "... April 2010 Threatscape report* showed high activity from multiple botnets, namely Gumblar and Sasfis. While Gumblar remained in the No. 1 position in Fortinet's Top 10 Network Attacks list, the Sasfis botnet ranking was bolstered by two of its executables prevalent in Fortinet's Antivirus Top 10 listing. Like Bredolab, Sasfis is a botnet loader that reports statistics and retrieves/executes files upon check-in. However, Sasfis differs since it is newer and does not employ encryption (all communications are sent through HTTP unencrypted). Nonetheless, Sasfis continues to spread aggressively and typically loads banking trojans among other malicious files... Additional key threat activities for the month of April include:
• Microsoft vulnerabilities...
• Adobe Acrobat vulnerabilities...
• Ransomware and Scareware still top virus detection...
• Cutwail spambot leveraged for money mule recruitment..."
* http://www.fortiguard.com/report/rou...pril_2010.html
:fear::mad:
ISS - aftermath of doc.pdf, statistics, payload, and spam
FYI...
ISS - aftermath of doc.pdf, statistics, payload, and spam
- http://blogs.iss.net/archive/aftermathofdocpdf.html
May 03, 2010 - "It looks like the onslaught of spam email containing doc.pdf is mostly behind us... At the peak of the attacks, we received 85,000+ alerts in a single day, even if the attacker was successful at a 10% rate of infection that’s easily 8500 infections. This is not even considering the amount of these attacks worldwide which would be assumed in the millions... The SPAM email was sent from various SMTP servers globally, which appears to be originating from a botnet, looking to expand its troops... yet another potentially huge Zeus/Zbot botnet was created or expanded all through spam email. Zeus is a force to be reckoned with its expanding and updated code base into version 2.0. Zeus version 2.0 has new infection measures, new encryption, windows 7 support and a long list of new features. The evolving threat is not going away anytime soon, so we must all remain vigilant in protecting our networks."
:fear::mad:
SPAM botnet activity - last week
FYI...
SPAM botnet activity - last week
- http://www.m86security.com/labs/i/Ca...race.1316~.asp
May 5, 2010 - "... Other than Mega-D and Maazben which exclusively spam out links to Canadian Pharmacy and Casino websites respectively, the top spam botnets promote a range of brands. This could either be because the botnet controllers belong to multiple affiliate programs or because they rent out spamming capacity to different people who are affiliates trying to promote their chosen brand... top six affiliate brands, promoted in 90 percent of spam in the last week, was sent by the top spam botnets. Some of the botnets involved in sending this stuff have a huge amount of spamming capacity, like Rustock which is currently sending around 40 percent of the spam we see. As such, botnet operators have the ability to greatly influence the market shares of affiliate programs simply by changing their spam templates..."
(Charted/available at the URL above.)
:fear::mad:
Zbot/ZeuS - cybercriminals on the offensive
FYI...
Zbot/ZeuS - cybercriminals on the offensive
- http://www.securelist.com/en/analysi...ation_begins#2
29 Apr 2010 Kaspersky Lab - "... More and more frequently these days, we hear about successful attacks perpetrated by the cybercriminals against the clients of financial organizations... One recent classic example comes from the Zbot-toolkit family, which is also known as ZeuS... widespread geographic diversity ensures the longevity of the botnet. As recent practice has shown, the botnet cannot be destroyed by merely closing down a few of the hosting sites. On 9 March... ZeuS Tracker noticed an abrupt decrease in the number of control centers and saw that it correlated with the disconnection of an Internet Service Provider by the name of Troyak... Troyak found a new teleservices provider and by 13 March the number of control centers had increased to more than 700 again... These botnets act as greenhouses for the propagation of financial malware. It is with this kind of malware that the cybercriminals steal users’ money most readily, and they are constantly finding new victims. The numbers clearly show an increase in the quantity of malicious programs targeting the clients of banks and other financial organizations over the past few years... Without state support very little will ever be accomplished in the fight against cybercrime. The problem will remain unresolved until such times that effective and efficient mechanisms exist for the necessary communication and interaction to take place between the relevant authorities."
(More detail and graphs available at the URL above.)
:mad:
Avalanche botnet - TROYAK-AS connection
FYI...
Avalanche botnet - TROYAK-AS connection...
- http://ddanchev.blogspot.com/2010/05...troyak-as.html
May 13, 2010 - "According to the latest APWG Global Phishing Survey*:
'... by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and "crimeware" - malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts. Avalanche was responsible for two-thirds (66%) of all phishing attacks launched in the second half of 2009...'
The Avalanche botnet's ecosystem is described by PhishLabs** as:
'Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams. The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information...'
One of the most notable facts about the botnet, is their persistent interaction with the TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their ZeuS C&Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on each and every of their phishing pages..."
* http://www.antiphishing.org/reports/...vey_2H2009.pdf
** http://www.phishlabs.com/blog/ - http://www.phishlabs.com/blog/archives/176
(More detail and info available at the //ddanchev URL above.)
- http://www.theregister.co.uk/2010/05...shing_attacks/
13 May 2010
- http://sunbeltblog.blogspot.com/2010...thirds-of.html
May 14, 2010
:mad: