Page 2 of 5 FirstFirst 12345 LastLast
Results 11 to 20 of 45

Thread: Pandemic of the botnets 2008

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry

    FYI...

    Loads.CC Bot still live...
    - http://asert.arbornetworks.com/2008/...till-targeted/
    April 17, 2008 - "Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit*, CIO magazine**, 2-viruses.com***, this PC Week article**** by Scott B, and Adam T for a good background. The team is still quite active. They came up in some analysis earlier this week when we looked at an infection chain. I started digging and found that they’re still churning out new malware install sites with great regularity..."

    * http://rbnexploit.blogspot.com/2007/...and-their.html

    ** http://www.cio.com/article/135451/Ho...econd_Unfolds_

    *** http://www.2-viruses.com/article-loa...rs-for-hackers

    **** http://www.pcworld.com/article/id,13...s/article.html

    (Activity charts - see the ArborNetworks URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post

    FYI...

    Bot counts
    - http://www.shadowserver.org/wiki/pmw...tats.BotCounts
    20 April 2008 - "... Because there is not any consensus on what that lifespan might be, we have created an entropy value for all of our counts. We actually implemented it in the middle of 2007 to deal with the rampant increase of our bot/infected system counts. We realized that we may have artificially inflated the numbers that we were presenting. We suspect a lot of the values that are seen in the press or the many security reports are inflated for the same reasons.

    We have three entropy values that we present for each of our graphs. The first is the one that we have been using since we started aging the data, which is a 30-day entropy. This assumes that if no activity on a specific IP was seen within 30-days, that IP should be considered dead for the purposes of counting infected systems. To further this analysis, we have also added in a 10-day and 5-day entropy charts to reflect even smaller expected lifespans of an infected system. We do not know what the correct value may be, but we suspect it is somewhere between the 10-day and 30-day charts."

    (Charts available at the URL above.)
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    China's botnet problems grows
    - http://www.securityfocus.com/brief/726
    2008-04-21 - "Computers infected by Trojan horse programs and bot software are the greatest threat to China's portion of the Internet, with compromises growing more than 20-fold in the past year, the nation's Computer Emergency Response Team (CN-CERT) stated in its 2007 annual report released last week. The response organization found that the number of Chinese Internet addresses with one or more infected systems increased by a factor of 22 in 2007. The report... estimates that, of 6.23 million bot-infected computers on the Internet, about 3.62 million are in China's address space. Trojan horse programs are responsible for a range of issues, from privacy breaches to economic losses, CN-CERT said in the report... A nod to Dancho Danchev's blog*, which first noted the release of the report..."
    * http://ddanchev.blogspot.com/2008/04...port-2007.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry 60 billion spam emails per day...

    FYI...

    - http://www.techworld.com/security/ne...58&pagtype=all
    09 May 2008 - "...Having compromised 300,000 PCs around the world, it was now sending out an estimated 60 billion spam emails per day on “watches, pens, male enlargement pills”, a torrent that consumed huge amounts of processing power to keep in check. “Srizbi now produces more spam than all the other botnets combined.” said Marshal’s Bradley Anstis... “Microsoft recently announced its success combating the Storm botnet with their Malicious Software Removal Tool (MSRT). The challenge now is for the security industry to collectively turn its sights on Srizbi and the other major botnets. We look forward to seeing Microsoft target Srizbi with MSRT in the near future,” said Marshal's Anstis."
    * http://www.marshal.com/pages/newsitem.asp?article=646

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation SQL Injection Attack Tool... Asprox botnet

    Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

    - http://www.secureworks.com/research/.../danmecasprox/
    May 13, 2008 - Author: Joe Stewart - "Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32 .exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is an SQL-injection attack tool. When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84 .com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool... the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts. Additionally, a similar attack technique is currently being seen spreading game-password-stealing trojans from China. Whether the tool is related or just the attack syntax is shared, it is clear that SQL injection attack activity is on the rise from multiple sources..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Senior Member djpailo's Avatar
    Join Date
    Oct 2005
    Posts
    126

    Default

    Do the current anti-spyware products secure us against bots?

  7. #17
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Quote Originally Posted by djpailo View Post
    Do the current anti-spyware products secure us against bots?
    Hi djpailo,

    Web Alerts only. Do not ask support questions in this forum please.
    You might want to ask your question in the Tavern: http://forums.spybot.info/forumdisplay.php?f=19 and get feedback there.

    For questions regarding our product: Spybot-S&D Forums

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Romanian Whack-A-Mole and Linux Bots

    FYI...

    - http://www.f-secure.com/weblog/archives/00001443.html
    May 27, 2008 - " It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.
    We recently received a sample containing several different files:
    - A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.
    - And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.
    The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.
    Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.... The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer. The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Stolen data goes to highest bidder...

    FYI...

    Stolen data goes to highest bidder...
    - http://www.finjan.com/Pressrelease.a...Lan=1819&lan=3
    June 18, 2008 - "...discovery of a server controlled by hackers (Crimeserver) containing more than 500Mb of premium data. The data included healthcare and business related data, as well as personal identifiable information (stolen Social Security Numbers). This data is part of the premium offering that the cybercriminals operating the Crimeservers were selling to the highest bidder online. The compromised data came from all around the world and contained information from individuals, businesses, airlines and healthcare providers. The report contains examples of compromised data that Finjan found on the Crimeserver, such as:
    * Compromised medical related data of hospitals and publicly owned healthcare providers
    * Compromised business related data of a U.S. airline carrier
    * Identity theft (stolen Social Security Numbers)..."

    - http://www.finjan.com/MCRCblog.aspx?EntryId=1979
    June 18, 2008 - "...The Crimeware Server Business Model cost consists of:
    - Affiliation network for promoting the malicious code on the Web = a couple of cents per iframe
    - Crimeware Toolkit for distributing the Trojan = between $100 - $700 (depending on its capabilities)
    - A Trojan and its Command and Control (C&C) application which can be bought for only $700 by purchasing the latest ZeuS toolkit, which includes an advanced phishing Trojan that sends the data encrypted + Command & Control for remote data management and control of the Trojan botnet..."
    - http://www.finjan.com/MCRCblog.aspx?EntryId=1957
    June 18, 2008

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Fastflux botnet domains...

    FYI...

    - http://atlas.arbor.net/summary/fastflux
    "Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme. The DNS records change frequently, often every few minutes, to point to new bots. The actual nodes themselves simply proxy the request back to the central hosting location... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware. Many times a single botnet will host several different fastflux domains at once. We try to find these distinct bot networks by looking for domains whose IPs match those of other domains... Currently monitoring 551 fastflux domains..." [2008.07.02]

    More SQL Injection with Fast Flux hosting
    - http://isc.sans.org/diary.html?storyid=4645
    Last Updated: 2008-07-01 04:46:52 UTC

    Fast Flux and New Domains for Storm
    - http://asert.arbornetworks.com/2008/...ins-for-storm/
    June 28, 2008 ...updated 1 July 2008

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •