Pandemic of the botnets 2012 ...
FYI...
Etrade DDoS attack ...
- http://www.theregister.co.uk/2012/01...n_ddos_attack/
January 5, 2012 - "... online broker ETrade, has been the target of a sustained malicious offshore generated cyber attack. The denial-of-service attack resulted in thousands of emails flooding the broking site, prompting a cessation of services from Christmas Eve to the New Year period. According to a Fairfax report*, offshore Etrade clients were the worst affected with some countries unable to access accounts for almost two weeks. An ETrade spokesperson confirmed that while overseas clients were more profoundly affected, Australian clients had intermittent access to their accounts... The Sydney Morning Herald reported** that St George customers were also affected by the attack as its online trading service is supplied by Etrade."
* http://www.theage.com.au/business/cy...104-1pl3x.html
January 5, 2012
** http://www.smh.com.au/business/st-ge...105-1pmrs.html
January 6, 2012
- http://www.theage.com.au/business/cy...104-1pl3x.html
Jan 5, 2012 - "... While a denial-of-service attack prevents customers and the business from trading, it can also mask other illegal activities. Observers say businesses that have denial-of-service attacks not only lose the value of the business they would have conducted but also goodwill and reputation with the customer base..."
Global Denial of Service
- http://atlas.arbor.net/summary/dos
Summary Report - (Past 24 hours)
:fear: :spider: :mad:
Carberp targets French broadband users
FYI...
Carberp targets French broadband users...
- https://www.trusteer.com/blog/intern...nd-subscribers
January 25, 2012 - "... recently discovered a configuration of Carberp that targets Free, a French broadband Internet service provider (ISP). The attack is designed to steal debit card and bank information using a Man in the Browser (MitB) attack. Free offers an ADSL service, called Freebox, to its customers. When subscribers visit their online account page Carberp launches an HTML Injection attack after the user has logged-in. The victim is presented with a page that claims Free is having a problem processing their monthly subscription payments with the financial institution, and requests that the user update their payment account details... The malware then asks the user to submit their payment card number, expiration date, security code (CVV2), bank name, bank address, zip code and city. The victim is told that this information must be updated in order to make monthly payments and maintain their service... This latest Carberp attack is another example of fraudsters moving downstream from online banking applications to web sites that process debit and credit card payments. By launching MitB attacks that target customers of third party service providers, rather than the banks themselves, fraudsters can prey on the trust established between the victim and a non-financial entity like an ISP..."
- http://www.infosecurity-magazine.com...e-on-the-rise/
18 January 2012
- http://www.microsoft.com/security/po...chdetails_link
___
- http://blog.eset.com/2012/01/26/face...rberp-activity
Jan 26, 2012 - "... According to our data Carberp’s main activity is confined to the region of Russia and the former Soviet republics, and this activity centered on fraud targeting the major Russian banks and stealing money from RBS (Remote Banking Service) systems... The Russian Federation is the country where the largest number of installations of Carberp has been seen*... Another interesting fact concerns a new DDoS plugin (Win32/Mishigy.AB) for Carberp. This DDoS plugin was developed in Delphi 7 and based on the network components from the Synapse TCP/IP library. Synapse components are very popular among cybercriminals for the creation of DDoS bots... Carberp is one of the biggest botnets in Russian Federation and total number of active bots is estimated to number millions of infected hosts..."
* http://blog.eset.com/wp-content/medi...at_country.png
:mad::mad:
Drive-by downloads and Blackhole
FYI...
Drive-by downloads and Blackhole
- http://www.sophos.com/en-us/security...t/html-09.aspx
26 Jan 2012 - "... The most popular drive-by malware we’ve seen recently is called Blackhole. It’s marketed and sold to cybercriminals in a typical professional crimeware kit that provides web administration capabilities. But it offers sophisticated techniques to generate malicious code. And it’s very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious... Blackhole mainly spreads malware through compromised websites that redirect to an exploit site, although we’ve also seen cybercriminals use -spam- to redirect users to these sites. This year we’ve seen numerous waves of attacks against thousands of legitimate sites. We’ve also noticed cybercriminals abusing a number of free hosting sites to set up new sites specifically to host Blackhole. Just like the Blackhole kit itself, the code injected into the legitimate sites is heavily obfuscated and polymorphic, making it harder to detect. The typical payloads we see from Blackhole exploit sites include:
Bot-type malware such as Zbot (aka Zeus)
Rootkit droppers (for example TDL and ZeroAccess)
Fake antivirus
Typically, the malware on these sites target Java, Flash and PDF vulnerabilities. At SophosLabs we saw a continual bombardment of new PDF, Flash, Java and JavaScript components each day for several months at the end of 2011. We’ve seen a huge rise in the volume of malicious Java files, virtually all of it from exploit sites such as Blackhole..."
:mad: :sad:
Spearphishing attacks - gov't related targets worldwide
FYI...
Spearphishing attacks - gov't related targets worldwide
Malware backdoors government-targeted kit 'using Adobe 0-days'
- http://www.theregister.co.uk/2012/02...phishing_rats/
1 Feb 2012 - "... spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed security flaws in Adobe software to implant a Trojan on compromised machines - ultimately opening a backdoor for hackers to take over systems. Once loaded, the malware also cunningly attempts to escape detection by posing as a benign Windows Update utility..."
> http://blog.seculert.com/2012/01/msu...ce-invite.html
Jan 31, 2012 - "... Seculert and Zscaler identified similar command and control (C&C) beacon patterns... matching the domain registration info of some of the C&C observed (for example, siseau .com, vssigma .com, etc.), we linked the new "MSUpdater" Trojan to previous attacks, probably conducted by the same group... The targeted attacks... share a few similar technical parameters (thus, regarded as created by the same group of attackers) arrive in emails with a malicious PDF attachment..."
> http://research.zscaler.com/2012/01/...-targeted.html
Jan 31, 2012 - "... we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present... The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C)... The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan. Correlating this information with open-source intelligence (OSINT), we were able to find other reports of this Trojan within past targeted incidents, as well as a link to other incidents and compromise indicators..."
___
- http://www.h-online.com/security/new...ew=zoom;zoom=1
3 February 2012
:fear::mad::fear:
Waledac malware returns... with password-stealing ...
FYI...
Waledac malware returns... with password-stealing ...
- https://www.computerworld.com/s/arti...g_capabilities
Feb 16, 2012 - "A new version of the Waledac malware has been spotted on the Internet, but unlike previous variants, which were mainly used for spamming purposes, this one steals various log-in credentials and BitCoins, a type of virtual currency... researchers from network security firm Palo Alto Networks announced in a blog post*... it also steals FTP, POP3 and SMTP user passwords, as well as .dat files for BitCoin wallets. This is the first time that Palo Alto Networks' firewall products have spotted Waledac-related activity since the original botnet was shut down two years ago... the new Waledac version is being distributed through Web sessions, probably with the help of exploits hosted on compromised websites..."
* http://www.paloaltonetworks.com/rese...ore-than-spam/
"... it is important to note that this is a -new- variant of the botnet, and not the original version..."
:fear: :mad: