Asprox Spambot resurrects
FYI...
Asprox Spambot resurrects
- http://www.m86security.com/labs/i/Th...race.1345~.asp
June 5, 2010 - "... on the first day of June, the spamming resumed - this time focused on pharmaceutical campaigns. With the help of Pushdo and Bredolab downloader, it seems Asprox has risen from the dead to build another spamming bot network... analysis also highlights the intricate relationships between individual malware components, and hint at a common gang behind it all."
(Screenshots and more detail available at the URL above.)
:fear::mad:
SSH brute force attempts on the rise again
FYI...
SSH brute force attempts on the rise again...
- http://isc.sans.edu/diary.html?storyid=9031
Last Updated: 2010-06-18 12:32:51 UTC - "SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next...
Reader xemaps wrote in with this log snippet:
"Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user."
Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x
Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x
Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x
Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x
Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x
Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x
Reader Ingvar wrote in with a similar pattern:
"On my home system I have seen these login attempts that start with user "aaa" and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day."
Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x
Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x
Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x
Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x
Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x
Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x
Last year ISC Handler Rick wrote up a diary* for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:
• Deploy the SSH server on a port other than 22/TCP
• Deploy one of the SSH brute force prevention tools
• Disallow remote root logins
• Set PasswordAuthentication to "no" and use keys
• If you must use passwords, ensure that they are all complex
• Use AllowGroups to limit access to a specific group of users
• Use as a chroot jail for SSH if possible
• Limit the IP ranges that can connect to SSH ..."
* http://isc.sans.edu/diary.html?storyid=7369
- http://isc.sans.edu/port.html?port=22
MORE INFO...
- http://isc.sans.edu/diary.html?storyid=9034
Last Updated: 2010-06-18 17:05:49 UTC
:mad::fear:
(More) Asprox SQL injection attacks
FYI...
(More) Asprox SQL injection attacks
- http://www.m86security.com/labs/i/An...race.1366~.asp
June 23, 2010 - "... we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks. As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART .RU
HYPERVMSYS .RU
ML63AMGSTART .RU
These domains resolve to Asprox's control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites. When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks... The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search more potential targets... So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection..."
:fear::mad:
GootKit - site infections
FYI...
GootKit - site infections
- http://www.m86security.com/labs/i/Go...race.1368~.asp
June 30, 2010 - "... attackers do not infect hundreds of web pages by hand, they use a script or a botnet to do the work for them. Some examples of this are Asprox and Gumblar, which are known for doing mass web site infections, Asprox via SQL injection and Gumblar by using stolen FTP credentials. One other such bot is known as GootKit. We came across this bot when in was installed on one of our test machines by a malicious downloader, along with a host of other malware. Most of Gootkit’s functions are implemented in scripts that are downloaded as tasks from a control server... We are unsure exactly how the control server obtained all of the FTP credentials, but most often these are stolen via keyloggers and information stealing malware installed on a website administrators PC. Gootkit is another example that highlights the highly automated systems that attackers are using to infect web pages en masse. These systems are underpinned and driven by botnets, which give the scalability and anonymity that the cybercriminals desire."
:mad:
Zeus2 botnet takedown in UK...
FYI...
Zeus2 botnet takedown in UK...
- http://www.theregister.co.uk/2010/08...pwns_brit_pcs/
4 August 2010 - "Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers. Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data - including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks - from compromised Windows systems. Trusteer researchers identified the botnet's drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police... The original attack was probably seeded by a combination of infected email attachments and drive-by downloads, according to Amit Klein, Trusteer's chief technology officer. The Windows-based malware used to control zombie clients was a variant of the infamous Zeus cybercrime toolkit, a customisable Trojan keylogger and botnet-control client sold through underground forums that's become the sawn-off shotgun of the cybercrime economy over recent years..."
- http://www.trusteer.com/company/trus...-the-news/2010
:fear::mad: