Multiple botnets spread Valentine's Day SPAM/malware
FYI...
Multiple botnets spread Valentine's Day SPAM/malware
- http://preview.tinyurl.com/azlcnw
2009-02-11 - E-week.com "...Researchers at Marshal8e6* have seen three distinct campaigns from three different botnets, as well as spam attacks from botnets they have not yet identified. Most of the Valentine's Day-related spam is coming from Waledac, which appeared on the scene late in 2008. Security pros now believe the botnet is the work of the minds behind the infamous Storm botnet that made headlines in 2007. After being targeted by Microsoft's Malicious Software Removal Tool, Storm limped through most of 2008 before disappearing completely in September... In its place came Waledac, which emerged in December with a blended threat Christmas e-card campaign. Like Storm, Waledac uses a peer-to-peer connection model with fast-flux DNS (Domain Name System) hosting and encrypted communications. Today, researchers speculate that Waledac may comprise as many as 20,000 bots... In addition to Waledac, the Pushdo botnet and others have joined in with their own Valentine's Day campaigns..."
* http://marshal.com/trace/traceitem.asp?article=870
Last Reviewed: February 11, 2009 - "...Please be wary this Valentine’s day and err on the side of caution. Avoid opening Valentine’s day e-card messages unless you can clearly identify and trust the sender."
:fear::mad:
MS08-067 - Conficker B++ released...
FYI...
- http://mtc.sri.com/Conficker/#fig-libemu
Last Update: 21 February 2009 - "...the Conficker authors have released a variant of Conficker B, which significantly upgrades their ability to flash Conficker drones with Win32 binaries from any address on the Internet. Here, we refer to this variant as Conficker B++... On Feb 16, 2009, we received a new variant of Conficker. At a quick glance, this variant resembles Conficker B. In particular, it is distributed as a Windows DLL file and is packed similarly. Furthermore, dynamic analysis revealed that this domain generation algorithm was identical to that of Conficker B. Hence, we initially dismissed this as another packaging of Conficker B. However, deeper static analysis revealed some interesting differences. Overall, when we performed a comparative binary logic analysis (see Appendix 2 - Horizontal Malware Analysis) comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. In particular, we found that out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added..."
Appendix I: Conficker Census
- http://mtc.sri.com/Conficker/#appendix-1
Appendix 2 - Horizontal Malware Analysis
- http://mtc.sri.com/Conficker/HMA/index.html
- http://blogs.technet.com/mmpc/archiv...tionality.aspx
February 20, 2009 - "... Future versions of the MSRT will detect this sample as Worm:Win32/Conficker.C* while the MSRT which was released earlier this month detects it as Worm:Win32/Conficker.B. The new sample has modifications which introduce new backdoor functionality. Previous versions of Conficker patched netapi32.dll in memory to prevent further exploitation of the vulnerability addressed by bulletin MS08-067. We’ve discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload. The payload only executes if it is successfully validated by the malware. However, there doesn’t appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant. This change may allow the author to distribute malware to machines infected with this new variant. This might be a response to the fact that they no longer have the ability to register many of the Conficker domains... note that this is a polymorphic threat..."
* http://www.microsoft.com/security/po...%2fConficker.C
:fear::devil::mad:
Waledac coupon campaign & updated Domain List
FYI...
Waledac coupon campaign & updated Domain List
- http://www.shadowserver.org/wiki/pmw...endar.20090302
March 02, 2009 - ".... The domains are kept updated at the following URL:
• http://www.shadowserver.org/wiki/upl...ac_domains.txt
Waledac Domain List - Updated 03-01-2009...
We have also introduced a new URL which is all of the Waledac domains in alphabetical order with no comments or anything else. It currently has 143 domains on it and can be reached via the following URL:
• http://www.shadowserver.org/wiki/upl...ledac_list.txt
These should both be updated at the same time from now on as we add new ones to the list. Please use the domains as you see fit for detecting malicious activity and proactive blocking...
New Theme & Exploits
In the last week or so too, you may have noticed that Waledac recently moved to a new theme about the Economic Crisis and having downloadable coupons. This is just the latest social engineering lure to attempt to get users to install the trojan on their system. Additionally, for some time now, Waledac has been linking to exploit code that it hosts itself. Lately the domain involved seems to frequently be "chatloveonline .com" with an iframe pointing to it and the URL "/tds/Sah7". So be on the lookout and don't visit Waledac domains to avoid the exploits."
:fear::mad:
Conficker variant - new domain algorithm generates 50,000-a-day...
FYI...
Conficker variant - new domain algorithm generates 50,000-a-day...
- http://preview.tinyurl.com/aegncn
03-06-2009 (Symantec Security Response Blog) - "Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has today resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants* of Downadup, Symantec is calling this new variant W32.Downadup.C. Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines. It is targeting antivirus software and security analysis tools with the aim of disabling them... Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes... The most effective step that organizations and end users can take is to ensure that their computers have up-to-date antivirus software and patches."
* https://forums2.symantec.com/t5/Mali...nt/ba-p/391186
02-23-2009 - "... new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C... one could categorize Downadup into three variants..."
W32.Downadup.C
- http://www.symantec.com/business/sec...852-99&tabid=2
Updated: March 6, 2009 10:38:28 PM
Updated: March 7, 2009 5:30:25 PM
Updated: March 8, 2009 9:23:42 AM
Updated: March 11, 2009 4:12:59 PM
Type: Trojan, Worm
Infection Length: 88,576 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
:fear::fear:
Conficker variant new domain algorithm generates 50,000-a-day...
FYI...
- http://blog.trendmicro.com/new-downa...tes-more-urls/
Mar. 11, 2009 - "... yet another variant of the infamous DOWNAD family... DOWNAD (also known as Conficker) is one of the more destructive outbreak worms in the Web threat era, with numbers matching that of giant botnets Storm and Kraken... The two earlier DOWNAD worms, as of this month, has already infected a million PCs based on Trend Micro’s World Virus Tracking Center... Security researchers estimate the global infection at around nine million PCs... added features include the increased number of generated domains, from the earlier the 250 generated by the earlier variants to 50,000. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet... blocking these domains is almost impossible not only because of the daily volume, but also because there is a high possibility legitimate domain collisions where DOWNAD generates domains already in use by legitimate entities. Like the other DOWNAD worms, this new variant also blocks access to antivirus-related sites, as well as terminates security tools..."
W32.Downadup.C
- http://www.symantec.com/business/sec...852-99&tabid=2
Updated: March 11, 2009 - "... If the date and time is on or after 1st April 2009, it uses the date information to generate a list of domain names..."
:fear::mad::fear:
Conficker Removal Tools - updated
FYI...
Third party information on Conficker
- http://isc.sans.org/diary.html?storyid=5860
Last Updated: 2009-03-30 18:34:41 UTC ...(Version: 4)
(See "Removal Tools")
:fear:
Conficker removal tool...
FYI...
- http://windowssecrets.com/comp/090330#story1
2009-03-30 - "... Conficker.C interferes with access to sites containing the following strings (as well as scores of other strings not shown here) in any portion of the URL:
antivir ca. cert. conficker f-secure kaspersky mcafee
microsoft msdn. msft. norton panda safety.live sans.
symantec technet trendmicro windowsupdate
... the only people who can access the Conficker removal tools these writers recommend are people whose PCs are -not- infected with Conficker.C... BitDefender has set up a new domain from which users can download free Conficker disinfectant utilities..."
- http://www.bdtools.net/how-to-remove-downadup.php
:fear: