Pandemic of the botnets 2008

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/34jw2j
March 16, 2008 (USAtoday) - "...The botnet problem shows no sign of easing. Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January -- an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91 percent of all e-mails in early March, up from 64% last June, says e-mail management firm Cloudmark... smaller, multipurpose botnets spring from widely available tool kits that make it easy for anyone to infect computers, assemble a basic botnet and embark on a criminal career. Dozens of crime rings, for instance, have cropped up to run phishing Relevant Products/Services scams that lure victims into clicking on fake Web pages where they get tricked into divulging passwords and other sensitive data.
Botnets distribute phishing spam, host phishing Web pages and store phished data. Since 2005, phishers have used botnets to take aim at more than 1,750 companies and government agencies, mainly financial institutions, including 106 fresh targets in the fourth quarter of 2007, according to a survey by security data firm Cyveillance. Phishing expeditions are just one of many uses of botnets.
Some botnets crawl the Internet looking for Web pages that can be corrupted with pop-up ads selling fake anti-spyware; some implant programs on popular Web pages to harvest any sensitive personal data typed there by visitors; some repeatedly click on online advertisements to earn fraudulent "click through" revenue... Numerous indicators portend botnets are destined to increasingly corrupt consumer online transactions and range deeper into corporate and government networks..."

Botnet activity from around the world over a 7 day period
- http://damballa.com/resources/video/...tive_bots.html
(Flash video)

[AplusWebMaster]

FYI...

- http://www.brisbanetimes.com.au/arti...602625560.html
March 21, 2008 - "Hackers are paying top dollar on international blackmarkets for computers from Australia that have been unknowingly hijacked and infected with spyware. A Russian malware distribution site offers $US100 for a haul of 1000 spyware-infected Australian machines, double the price offered for US machines and 30 times more than those from Asia... The Russian site, InstallsCash, offers to pay unscrupulous website operators for every 1000 machines they infect with spyware. All the website operator has to do is insert a line of code into their web page, and anyone visiting that site is infected with spyware. For instance, someone could load the code on to their website and if the site is viewed by 100,000 Australians in a day, the site operator could earn up to $10,000 in one hit, assuming all viewers are infected. Infected machines are then added to a "botnet" controlled by InstallsCash, and the party responsible for the infection is paid accordingly..."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/338nxq
March 27, 2008 (TrendLabs blog) - "...Interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month. Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico. However, instead of using DNS poisoning method as the past attacks did, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider. Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting e-card that a user receives via email. This e-card contains a link, which when clicked downloads the malicious file Gusanito.exe... Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer... As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting e-cards at this very moment... The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this, as well."

[AplusWebMaster]

FYI...

- http://asert.arbornetworks.com/2008/...-and-insights/
March 27, 2008 - "...I don’t get to spend much time digging into big, widespread attacks or specialized exploits. However, here’s a few links from my reading this morning that help keep me informed since I can’t spend all of my time digging too deeply into every event.
- ...botconomics... basically how the botnet world has been fueling a large-scale underground economy. Have a look:
http://www.vnunet.com/vnunet/news/22...-offer-dollars ...
"...Code is typically first added to a web page which may be a phishing site, a hacked site, a site hosted on a web server or even a botnet-hosted web page. Instructions are then issued to the offending botnet computers to visit the page, then download and execute the code. Once the spyware is installed, it registers with the 'seller' and the 'affiliate' is then paid. MessageLabs explained that a simple line of code can be added to an HTML page that will in turn cause a drive-by install of spyware to the computers of any visitors to that site..."

[MadelineC]

This newsletter from Trend Micro gives some useful information and advice.

[AplusWebMaster]

Botnets 2008 - new - "Kraken"

Kraken technical details
- http://isc.sans.org/diary.html?storyid=4256
Last Updated: 2008-04-07 20:22:36 UTC - "...<Begin Commentary> If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware. </End Commentary>..."
(More detail at the ISC URL above.)

- http://www.theregister.co.uk/2008/04...botnet_menace/
7 April 2008 - "... It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network. Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware..."