60 billion spam emails per day...
FYI...
- http://www.techworld.com/security/ne...58&pagtype=all
09 May 2008 - "...Having compromised 300,000 PCs around the world, it was now sending out an estimated 60 billion spam emails per day on “watches, pens, male enlargement pills”, a torrent that consumed huge amounts of processing power to keep in check. “Srizbi now produces more spam than all the other botnets combined.” said Marshal’s Bradley Anstis... “Microsoft recently announced its success combating the Storm botnet with their Malicious Software Removal Tool (MSRT). The challenge now is for the security industry to collectively turn its sights on Srizbi and the other major botnets. We look forward to seeing Microsoft target Srizbi with MSRT in the near future,” said Marshal's Anstis."
* http://www.marshal.com/pages/newsitem.asp?article=646
:mad::buried:
SQL Injection Attack Tool... Asprox botnet
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
- http://www.secureworks.com/research/.../danmecasprox/
May 13, 2008 - Author: Joe Stewart - "Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32 .exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is an SQL-injection attack tool. When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84 .com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool... the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts. Additionally, a similar attack technique is currently being seen spreading game-password-stealing trojans from China. Whether the tool is related or just the attack syntax is shared, it is clear that SQL injection attack activity is on the rise from multiple sources..."
:fear::fear:
Romanian Whack-A-Mole and Linux Bots
FYI...
- http://www.f-secure.com/weblog/archives/00001443.html
May 27, 2008 - " It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.
We recently received a sample containing several different files:
- A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.
- And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.
The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.
Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.... The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer. The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak."
:fear:
Stolen data goes to highest bidder...
FYI...
Stolen data goes to highest bidder...
- http://www.finjan.com/Pressrelease.a...Lan=1819&lan=3
June 18, 2008 - "...discovery of a server controlled by hackers (Crimeserver) containing more than 500Mb of premium data. The data included healthcare and business related data, as well as personal identifiable information (stolen Social Security Numbers). This data is part of the premium offering that the cybercriminals operating the Crimeservers were selling to the highest bidder online. The compromised data came from all around the world and contained information from individuals, businesses, airlines and healthcare providers. The report contains examples of compromised data that Finjan found on the Crimeserver, such as:
* Compromised medical related data of hospitals and publicly owned healthcare providers
* Compromised business related data of a U.S. airline carrier
* Identity theft (stolen Social Security Numbers)..."
- http://www.finjan.com/MCRCblog.aspx?EntryId=1979
June 18, 2008 - "...The Crimeware Server Business Model cost consists of:
- Affiliation network for promoting the malicious code on the Web = a couple of cents per iframe
- Crimeware Toolkit for distributing the Trojan = between $100 - $700 (depending on its capabilities)
- A Trojan and its Command and Control (C&C) application which can be bought for only $700 by purchasing the latest ZeuS toolkit, which includes an advanced phishing Trojan that sends the data encrypted + Command & Control for remote data management and control of the Trojan botnet..."
- http://www.finjan.com/MCRCblog.aspx?EntryId=1957
June 18, 2008
:fear::spider::mad:
Fastflux botnet domains...
FYI...
- http://atlas.arbor.net/summary/fastflux
"Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme. The DNS records change frequently, often every few minutes, to point to new bots. The actual nodes themselves simply proxy the request back to the central hosting location... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware. Many times a single botnet will host several different fastflux domains at once. We try to find these distinct bot networks by looking for domains whose IPs match those of other domains... Currently monitoring 551 fastflux domains..." [2008.07.02]
More SQL Injection with Fast Flux hosting
- http://isc.sans.org/diary.html?storyid=4645
Last Updated: 2008-07-01 04:46:52 UTC
Fast Flux and New Domains for Storm
- http://asert.arbornetworks.com/2008/...ins-for-storm/
June 28, 2008 ...updated 1 July 2008
:fear::spider::mad: