Pandemic of the botnets 2008

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/34jw2j
March 16, 2008 (USAtoday) - "...The botnet problem shows no sign of easing. Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January -- an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91 percent of all e-mails in early March, up from 64% last June, says e-mail management firm Cloudmark... smaller, multipurpose botnets spring from widely available tool kits that make it easy for anyone to infect computers, assemble a basic botnet and embark on a criminal career. Dozens of crime rings, for instance, have cropped up to run phishing Relevant Products/Services scams that lure victims into clicking on fake Web pages where they get tricked into divulging passwords and other sensitive data.
Botnets distribute phishing spam, host phishing Web pages and store phished data. Since 2005, phishers have used botnets to take aim at more than 1,750 companies and government agencies, mainly financial institutions, including 106 fresh targets in the fourth quarter of 2007, according to a survey by security data firm Cyveillance. Phishing expeditions are just one of many uses of botnets.
Some botnets crawl the Internet looking for Web pages that can be corrupted with pop-up ads selling fake anti-spyware; some implant programs on popular Web pages to harvest any sensitive personal data typed there by visitors; some repeatedly click on online advertisements to earn fraudulent "click through" revenue... Numerous indicators portend botnets are destined to increasingly corrupt consumer online transactions and range deeper into corporate and government networks..."

Botnet activity from around the world over a 7 day period
- http://damballa.com/resources/video/...tive_bots.html
(Flash video)

[AplusWebMaster]

FYI...

- http://www.brisbanetimes.com.au/arti...602625560.html
March 21, 2008 - "Hackers are paying top dollar on international blackmarkets for computers from Australia that have been unknowingly hijacked and infected with spyware. A Russian malware distribution site offers $US100 for a haul of 1000 spyware-infected Australian machines, double the price offered for US machines and 30 times more than those from Asia... The Russian site, InstallsCash, offers to pay unscrupulous website operators for every 1000 machines they infect with spyware. All the website operator has to do is insert a line of code into their web page, and anyone visiting that site is infected with spyware. For instance, someone could load the code on to their website and if the site is viewed by 100,000 Australians in a day, the site operator could earn up to $10,000 in one hit, assuming all viewers are infected. Infected machines are then added to a "botnet" controlled by InstallsCash, and the party responsible for the infection is paid accordingly..."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/338nxq
March 27, 2008 (TrendLabs blog) - "...Interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month. Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico. However, instead of using DNS poisoning method as the past attacks did, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider. Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting e-card that a user receives via email. This e-card contains a link, which when clicked downloads the malicious file Gusanito.exe... Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer... As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting e-cards at this very moment... The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this, as well."

[AplusWebMaster]

FYI...

- http://asert.arbornetworks.com/2008/...-and-insights/
March 27, 2008 - "...I don’t get to spend much time digging into big, widespread attacks or specialized exploits. However, here’s a few links from my reading this morning that help keep me informed since I can’t spend all of my time digging too deeply into every event.
- ...botconomics... basically how the botnet world has been fueling a large-scale underground economy. Have a look:
http://www.vnunet.com/vnunet/news/22...-offer-dollars ...
"...Code is typically first added to a web page which may be a phishing site, a hacked site, a site hosted on a web server or even a botnet-hosted web page. Instructions are then issued to the offending botnet computers to visit the page, then download and execute the code. Once the spyware is installed, it registers with the 'seller' and the 'affiliate' is then paid. MessageLabs explained that a simple line of code can be added to an HTML page that will in turn cause a drive-by install of spyware to the computers of any visitors to that site..."

[MadelineC]

This newsletter from Trend Micro gives some useful information and advice.

[AplusWebMaster]

Botnets 2008 - new - "Kraken"

Kraken technical details
- http://isc.sans.org/diary.html?storyid=4256
Last Updated: 2008-04-07 20:22:36 UTC - "...<Begin Commentary> If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware. </End Commentary>..."
(More detail at the ISC URL above.)

- http://www.theregister.co.uk/2008/04...botnet_menace/
7 April 2008 - "... It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network. Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware..."

[AplusWebMaster]

Update #2

- http://isc.sans.org/diary.html?storyid=4256
UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here*. There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now..."
* http://doc.emergingthreats.net/bin/view/Main/OdeRoor

(More links to detailed analysis available at the ISC URL above - bottom of page there.)

[AplusWebMaster]

More on "Kraken":

- http://preview.tinyurl.com/6ff7lx
April 8, 2008 (Brian Krebs) - "...In the early days of bot infections, botmasters would have all of their infected PCs report to a particular Internet server to receive updates and instructions on what to spam or whom to attack. But those stationary control servers represent a single point of failure for botmasters: If security professionals can get them taken offline, the botmaster can lose control over his herd of infected machines, as the individual bots no longer know where to go to receive instructions and become stranded indefinitely, sort of like sheep without a shepherd. As a result, many botmasters have switched to using dynamic DNS because these services eliminate this single point of failure. Using dynamic DNS, the botmaster simply tells his bots to report to a particular domain name he controls, such as example.com, and the dynamic DNS provider takes care of making sure all infected machines know how to find the control server... Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code... the advice is the same: Use anti-virus, but don't depend on it to save you from risky behaviors online. Use a firewall, keep your computer and third-party software up-to-date with the latest security patches. Don't click on links sent to you unexpectedly in e-mail or instant message... configure your computer so that you run it under a limited user account for everyday use..."

[AplusWebMaster]

More "Kraken"...

- http://asert.arbornetworks.com/2008/...sft-bulletins/
April 8, 2008 - " Kraken, the spam botnet on everyone’s minds, has soaked up a good bit of out Monday evening and today. We’re going with the popular name and dubbing it Trojan.Kraken. In short, what we know and what we don’t know:
* It’s unclear if this is a variant of Bobax or Srizbi, or something new.
* A lot of the C&Cs are dead
* We analyzed samples going back through last year
* It’s a spam botnet, doesn’t appear to harm the host otherwise
* We don’t know how big it is
We’ve spent a lot of time in ASERT in the past day dissecting samples, gathering data from the community, and looking at our own analysis. Here’s some brief notes:
* It drops a file in %SYSTEM32% with a random name (lowercase characters, 2-20 characters). It sets the following registry keys to ensure it runs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"" =C:\WINDOWS\system32\[%random_name%].exe
"" =C:\WINDOWS\system32\[%random_name%].exe

Where the random name is between 2 and 20 characters long.
* It picks a random string of lowercase characters for a service title
* It communicates with over 150 command nodes (if they all were to resolve) for instructions and templates using UDP port 447; we’re not sure if the replies are source-spoofed or not...

AV detection for the samples varies, but the naming isn’t consistent. This doesn’t appear to be the bot that ate the Internet, however, but it does go to show you that spambots are becoming a serious problem..."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/5qk4lk
April 9, 2008 SANS-NewsBites - "Research presented at the RSA conference estimates that the largest eleven botnets cumulatively control more than one million machines and are capable of sending out 100 billion spam emails each day. The largest botnet is believed to be one known as Srizbi, controlling an estimated 315,000 machines; Bobax claims an estimated 185,000 machines, and Storm comprises about 85,000 compromised machines. The research also aims to clarify which botnets are which, as some recent reports have said that Kraken is the largest botnet, comprising more than 400,000 machines, but Kraken is believed to be another name for Bobax."