Pandemic of the botnets 2009
FYI... Please do NOT visit the sites mentioned in the article!
Russia: Opposition Websites and DDoS
- http://asert.arbornetworks.com/2009/...ites-and-ddos/
January 6, 2009 - "We’re again seeing reports about political DDoS targets within Russia. This time we saw it mentioned in the blog post Russian Opposition Websites Shut Down By Attacks* from the blog The Other Russia. And again we have data to support the claims. The site www .grani .ru has come under attack from two Black Energy botnets. One of them is well known to many of us, “candy-country .com”, and the other is relatively new on the scene, 22×2x2×22 .com. Both are hard at work with HTTP floods against the site.
Kasparov .ru is back in the news and again being targeted by Black Enegy botnets. 22×2x2×22 .com is striking the site, as well as the well known BE botnet ad .yandexshit .com.... the website of MSK radio, echo .msk .ru, is also under attack by these two botnets. Voices of dissent again being quieted by force.
At least some of these bots participated in the recent DDoS attacks between Russia and Georgia, but they’ve also struck non-political targets quite a bit in the past year or so. Escort sites, gambling sites, etc. Politics is a rough sport in Russia, and the use of DDoS to silence the opposition’s website shows the power of the web in getting a voice out, its value in being silenced, and possibly what’s to come in the future."
* http://preview.tinyurl.com/8nff8b
:fear::mad::fear:
2008 H2 Fast Flux Data Analysis
FYI...
2008 H2 Fast Flux Data Analysis
- http://asert.arbornetworks.com/2009/...data-analysis/
January 8, 2009 - "... Comparison and Trends
We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. This could be due to them being negligent or completely subverted, but either way we’re not surprised to see a BizCN registration of a fluxy .CN domain name. We also think that this rapid growth in .CN as a fluxing TLD may be due to a fire sale of .CN domain registrations that occurred late in 2008.
The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs. As we noted in our paper earlier this year, by the middle of 2008 more TLDs were being used that had been seen in Thorsten’s previous paper. By the end of 2008 even more TLDs were in use. The long tail is getting longer, meaning more registrars have to be educated and empowered to response to abuse notices with takedowns.
2008 was a very big year for fast flux service hosting, and we’ll continue to see it in 2009. We’re working with more people to analyze such botnets and track their activities, and we’ll be reporting it here."
(Info charts available at the URL above.)
:fear:
Waledac - new tactics & new domains...
FYI...
Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmw...endar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/upl...ac_domains.txt
Updated 01-21-2009
:fear:
Full Waledac domain listing
FYI...
Full Waledac Domain Listing
- http://www.securityzone.org/?p=61
January 24, 2009 - "'Got the full list also being updated and posted on the Shadowserver website at the following URL:
http://www.shadowserver.org/wiki/upl...ac_domains.txt
Updated 01-25-2009 - 19:10 UTC
...Also, if you are interested in all things Waledac...
http://sudosecure.net/waledac/ "
Waledac Tracker Summary Data
- http://www.shadowserver.org/wiki/pmw...endar.20090124
January 24, 2009 - "...Add those to your block lists and do NOT visit them."
:fear:
Russian DDoS attack against Kyrgyzstan
FYI...
Kyrgyzstan Under DDoS Attack From Russia
- http://preview.tinyurl.com/dfdf84
January 28, 2009 Secureworks blog - "Since January 18, 2009, the two primary Kyrgyzstan ISPs (www .domain .kg, www .ns .kg) have been under a massive, sustained DDoS attack almost identical in some respects to those that targeted Georgia in August 2008. Few alternatives for Internet access exist in Kyrgyzstan. With just two smaller IPSs left to handle the load, these attacks from Russian IP address space have essentially knocked most of the small, Central Asian republic offline. Some believe that this is a way to silence rhetoric from a new and relative powerful opposition coalition whose primary aim is the removal of current government officials, especially Kyrgyz President Kurmanbek Bakiyev, and a break from the administrations policies. On the other hand, others think these attacks are part of a Russian campaign to pressure Kyrgyz President Kurmanbek Bakiyev to close US access to a key airbase, which intensified on the same day as the DDoS attacks. That airbase is a key resource in the war against Islamist militants in Afghanistan... The use of cyber militias puts distance between the Russian government and shelters the it from culpability for the peacetime use of information warfare tactics. There is often a combination of motives... With modern worms capable of quickly building 1+ million strong botnet armies, will we have countermeasures and contingency plans in place when the cross hairs lock-on to our own infrastructure?"
Russian 'cybermilitia' knocks Kyrgyzstan offline
- http://preview.tinyurl.com/akct9k
January 28, 2009 (Computerworld)
- http://atlas.arbor.net/
"...We are investigating ongoing DDoS issues in Kyrgyzstan..."
- http://atlas.arbor.net/summary/dos
:fear::fear:
Asprox goes phishing again
FYI...
Asprox goes phishing again
- http://www.shadowserver.org/wiki/pmw...endar.20090129
29 January 2009 - "The first time around with Asprox, we saw a little bit of phishing. The question with any botnet is "how do they make money off of this?" Phishing is certainly one way. Renting your botnet out to a phishing organization is probably an even better way. Must less risk for you, Mr. Botnet Herder. Today we saw a template update to the drones... Once you fill in some details, your form is submitted to <asprox node>... then your browser is redirected to the homepage of the real bank site. With Asprox's template capabilities, I imagine we'll see more of this."
(Screenshot and more detail available at the URL above.)
:fear::mad:
Botnet controllers for sale
FYI...
Botnet controllers for sale
- http://sunbeltblog.blogspot.com/2009...-for-sale.html
February 09, 2009 - "... Now, we see a development shop boasting about its work on malware. Sniffing around an iframedollars trojan, we saw a GET request to promake.me. This resulted in an additional trojan being downloaded..."
(Screenshots available at the URL above.)
:fear::fear: