Pandemic of the botnets 2008

[AplusWebMaster]

FYI...

...Asprox lying around
- http://isc.sans.org/diary.html?storyid=4840
Last Updated: 2008-08-07 14:43:56 UTC - "...looking for something completely different I came across our old friend ASPROX (see previous diary from Marc: http://isc.sans.org/diary.html?storyid=4645 .
It seems that a lot of the domains used by this are still or again active. Typically using fast flux. The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js. This links to an IP address (still up) where a CGI script starts the road of pain.
Doing a quick search using our friend Google I ended up with 1,470,000 sites that are currently infected. Now about 591,000 or so are b.js which seems to point to inactive domains so these are unlikely to do damage. The rest is a mixture of active and inactive links. The high number of infected sites points to a couple of issues.
1. Sites are compromised and nobody notices
2. Sites that are infected are not cleaned up.
Now the number of infected sites is high, but the sky is not falling. However if you have a spare few minutes do the following Google search replacing yoursite with your domain, e.g. sans.org (just cut and paste the whole search).
site:yoursite "script src=http://*/""ngg.js"|"js.js"|"b.js"
If the search returns results, you have some cleaning to do.
I did a quick breakdown of infected sites:
.gov - 238 .com - 474K
.gov.au - 927 .org - 79.9K
.gov.uk - 2,930 .com.au - 19.5K
.gov.cn - 34K .co.uk - 19.3K
.gov.za - 424 .ca - 13.1K
.gov.br - 263
I'll let you know next week if things are getting better or worse."

- http://www.theregister.co.uk/2008/08...w_sql_attacks/
7 August 2008 - "...Given the prevalence of pages from supposedly reputable organizations that threaten their users, Firefox using the NoScript* extension is an effective, but by no means perfect, measure to insulate yourself against these attacks."
* http://noscript.net/

[AplusWebMaster]

FYI...

RBN (Russian Business Network) now nationalized, invades Georgia Cyber Space
- http://rbnexploit.blogspot.com/
Sat – 2008 08 09 5:00 EST - "As requested by community relay, the following is a report on the cyber war underway in parallel with conventional warfare. Many of Georgia’s internet servers were under external control from late Thursday, Russia’s invasion of Georgia commenced on Friday. It is further requested of any blog reader the information below is further relayed to the International Press and Community to ensure awareness of this situation..."
- http://www.theregister.co.uk/2008/08...tack_reloaded/
11 August 2008

- http://www.theinquirer.net/gb/inquir...launch-georgia
11 August 2008

[AplusWebMaster]

FYI...

Georgian Websites Under Attack - DDoS and Defacement
- http://www.shadowserver.org/wiki/pmw...endar.20080811
11 August 2008 - "... we had not seen any other C&C servers taking aim at Georgian websites... until last Friday (August 8, 2008). The date appears to coincide with military movement that has since escalated into fighting between the two countries. Since August 8 we have witnessed multiple C&C servers attacking websites that are Georgian or sympathetic to the country. Some of the first targets we saw once again involved the Georgian government. The website for the President ( www .president.gov.ge ) and the website for the Parliament of Georgia ( www .parliament.ge ) were both targeted. However, the attacks were not limited to just government websites. We have witnessed at least six different C&C servers attacking various websites that are not government sites. In some cases the various C&C servers were and still are attacking the same websites. The following websites have come under attack in the past few days:
www .president.gov.ge
www .parliament.ge
apsny.ge
news.ge
tbilisiweb.info
newsgeorgia.ru
os-inform.com
www .kasparov.ru
hacking.ge
mk.ru
newstula.info
skandaly.ru
One will notice that not all of these are Georgian websites. However, it is interesting to see that the same groups involved with targeting various Russian media outlets have also been taking aim at various Georgian websites... these attacks have expanded beyond just denial of service attacks. At the time of this writing the websites for the Georgian Pariliament has been defaced by a group claiming to be from South Ossetia. On the website the attackers have inserted a large image made up of several smaller side-by-side images of pictures of both the Georgian President and Adolf Hitler...
Edit: (08-11-2008 9:10 PM EDT): We have since removed a screen shot of the defaced page as we do not want to glorify the group behind it. At this time the page is still defaced and can be viewed. However, we would caution against visiting the site as it may still be under control of the attackers...
While this flurry of activity appears to coincide with recent events involving Russia and Georgia, we do not have solid information surrounding the who and the why. We have no reason to think the government is involved and can only speculate that it could be a grass root effort by the attackers. What is clear is that there are groups that are looking to keep Georgian websites offline."

//

[AplusWebMaster]

FYI..

- http://voices.washingtonpost.com/sec...ting_your.html
August 22, 2008 - "The allure of cyber crime lies in its promise of quick riches, much like that of the illegal drug trade. But building a network of hacked personal computers that can distribute your data-stealing malicious software is a time-consuming process that requires a modicum of skill. That is, until recently, when several online services have emerged that promise to help would-be cyber crooks graduate from common street dealers to distributors overnight. Such is the aim of services like "loads.cc," which for a small fee will take whatever malware you provide and inject it into a pre-selected number of PCs already compromised and under the thumb of the service owners. Currently, loads.cc claims to have 264,552 hacked systems in more than a dozen countries that it can use as hosts for any malicious software that clients want to install. The latest details from the "statistics" page displayed for members says the service has gained some 1,679 new infectable nodes in the last two hours, and more than 33,000 over the past 24 hours... Other up-and-coming malware distribution services are trying to gain a foothold in this nascent criminal Web 2.0 industry. Loadsforyou.biz offers slightly more competitive rates, promising to stitch your malware into 10,000 hacked PCs in the U.S. for just $120... it's probably best to avoid visiting the sites named in this post, as they exist solely to orchestrate the infection of computer systems..."

[AplusWebMaster]

FYI...

- http://voices.washingtonpost.com/sec..._as_major.html
August 28, 2008 - "...Several noted security researchers are releasing a report* today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as Intercage, has long been a major source of spyware, adware, viruses and fake anti-virus products... Looking back several years, Atrivo's various networks were used heavily by the Russian Business Network, an ISP formerly based in St. Petersburg, Russia. RBN had gained notoriety for providing Web hosting services catering exclusively to cyber criminals. But after increased media attention, RBN dispersed its operations to other, less conspicuous corners of the Internet. The portions of Atrivo most heavily used by RBN were Hostfresh - which provides routing for Atrivo through Hong Kong and China - and UkrTeleGroup (also known as Inhoster) out of Ukraine. These two networks remain core components of Atrivo's operation, and recent data suggests the company's reputation for supporting online criminals hasn't diminished since the disappearance of the RBN last year..."

- http://asert.arbornetworks.com/2008/...out-as-us-rbn/
Aug. 30, 2008 - "A report* from a trio of known open source security analysts is out and covers the US-based Atrivo, aka Intercage. Dubbed the “US RBN” by some, Atrivo has been, to quote someone in the business:
"At almost every Internet security conference, or law enforcement seminar on cyber-crime, a presentation will detail some attack, exploit, phish or financial crime that has some nexus at Atrivo/Intercage.” Source: Vincent Hanna, Spamhaus.org**...
we’ve been seeing a lot of Atrivo over the years: rogue DNS servers that will send the user to a malicious website if they should typo, configured through DnsChanger malware; lots of fake AV product hosting lately; malcode drops and pickups. Our database is full of these droppings of information. The fact that this network is supposedly hosted in the US – in the bay area, in fact – is especially surprising. It is unclear to me why they were permitted to operate without any significant investigation by law enforcement..."

* http://hostexploit.com/index.php?opt...d=12&Itemid=15

** http://www.spamhaus.org/news.lasso?article=636
2008-08-29 - "...Spamhaus has dealt with over 350 incidents of cyber-crime hosting on Atrivo/Intercage and its related networks in the last 3 years alone, all of which involved criminal operations such as malware, virus spreaders and botnet command and control servers..."

[AplusWebMaster]

FYI...

Machines controlled by Botnets has quadrupled in 3 months
- http://isc.sans.org/diary.html?storyid=4963
Last Updated: 2008-09-01 16:16:33 UTC = "...some of the data put out by the Shadowserver Foundation that tracks botnets. One piece of information grabbed my eye, namely that over the last 3 months, the number of infected machines quadrupled*. During the same time period, there isn't an appreciable increase in new malware, new viruses or anything that would obviously indicate why this is so. I imagine that the bad guys have gotten better about keeping machines owned, but there is one vector that we need to get much better about tracking and managing, and that's direct web-based malware. The timing, very roughly, coincides with when we started to see increase SQL injection attacks against webservers (mind you, this is an educated guess that SQL injections are a big part of this, not a statement of fact). We are very good at tracking email-based malware (including lead-the-user-to-the-bad-website variety) and certainly network based attacks. Short of spidering the web on a consistent basis, it gets difficult to find infected sites for that malware..."
* http://www.shadowserver.org/wiki/pmw...otCount90-Days

- http://www.shadowserver.org/wiki/pmw...endar.20080905
September 05, 2008

[AplusWebMaster]

FYI...

Atrivo/InterCage - malware haven
- http://www.shadowserver.org/wiki/pmw...endar.20080906
6 September 2008 - "... we decided to do a little digging from our own data to see what we could come up with. Given that we have been familiar with Atrivo for some time, what we found was not a huge surprise. However, we thought we would provide some more information for anyone that was interested or that was still skeptical. The following information comes right from our own databases and is based upon searches for the ASN 27595 which belongs to Atrivo.
Atrivo/InterCage - ASN 27595:
-----------------------------
Unique MD5 samples making HTTP connections: 22,626
Number of HTTP DDoS botnets (by unique IP) we have observed: 3
Number of DDoS attacks (by unique IP) from it we have observed: 10
Number of DDoS attacks (by unique IP) against it that we have observed: 26
In plain English this means that we have 22,626 different binaries that made some sort of HTTP-based connection to Atrivo's ASN. The vast majority of our binaries are quite malicious. At least three HTTP-based DDoS botnets we monitored were housed on Atrivo's ASN. From these three different HTTP-based DDos botnets we saw at least ten different attacks issued... As you can see, they have quite a bit of malware talking to them, which in turns mean it has a lot of malware and control centers on it as well. Atrivo ranks #12 on our unique MD5 list by ASN. There are only 11 other ASNs that have more malware making HTTP connections to it than Atrivo. It would appear we still have some work to do, but since one of the top 20 is the center of attention right now, we thought we would throw in our two cents. Finally, we are not saying that all systems or activity on Atrivo's ASN are malicious. However, our data along with the data of others clearly indicate that there is a significant amount of malicious activity going on there that is certainly of concern."

[AplusWebMaster]

FYI...

- http://voices.washingtonpost.com/sec...istory_an.html
September 8, 2008 - "...for years EstDomains appeared to be the registrar of choice for the infamous Russian Business Network. You could hardly look up malicious Web site hosting nasties like -CoolWebSearch- and other spyware programs without finding records that traced back to EstDomains. That is, until the RBN's disappearing act late last year, when this publication and others began exposing RBN's ties to child pornography and financial fraud Web sites. While the RBN may have faded into the background, experts say EstDomains still remains among the top registrars for spam and scam Web sites, as well as child pornography. Working with several security experts who help law enforcement officials track down child porn sites, Security Fix identified at least two Web sites registered through EstDomains that are currently selling access to child porn... In a blog post* last month about the relationship between EstDomains and Atrivo, anti-spam organization Spamhaus.org suggested law enforcement action against the two entities was long overdue..."
* http://www.spamhaus.org/news.lasso?article=636

[AplusWebMaster]

FYI...

- http://asert.arbornetworks.com/2008/...-observations/
October 7, 2008 - "...Fast flux botnets are gathering a great deal of attention, and for good reason. Several groups have been working on similar research questions and have found similar results... Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins. Evidence suggests that more attackers are adopting fast-flux techniques, but very little data has been gathered to discover what these botnets are being used for... We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime including pharmacy sites, phishing and malware distribution, and that we can identify distinct botnets across multiple domain names..."

[AplusWebMaster]

FYI...

- http://www.darkreading.com/document....919&print=true
October 14, 2008 - "... FTC today shuttered one of the world’s largest spamming operations. The Herbal King gang, aka Affking, is responsible for billions of spam messages selling prescription drugs and phony male-enhancement products. The spam ring sent spam messages offering generic versions of Levitra, Cialis, Propecia, Viagra, Lipitor, Celebrex, Zoloft, and other drugs, as well as an herbal “permanent” male-enhancement pill called VPXL, through hundreds of unsavory Websites, according to the FTC. The spammers pushed their spam runs via the Mega-D/Ozdok botnet and other botnets. A U.S. district court in Illinois ordered the gang to halt its spam operations and has frozen the assets of New Zealand resident Lance Atkinson and Jody Smith of Texas, as well as the four companies they run, Inet Ventures Pty Ltd., Tango Pay Inc., Click Fusion Inc., and TwoBucks Trading Limited. The FTC complaint charges that Atkinson is liable for product claims by the operation, and Smith for claims about the pharmaceutical products. The spammers falsely claimed to sell medications as a U.S. licensed pharmacy that sells FDA-approved generic drugs, but the drugs were shipped from India and are potentially unsafe, according to the FTC, which received 3 million complaints about the phony pharmaceutical operation. Herbal King was ranked as the No. 1 spammer by Spamhaus... The spammers used the Mega-D/Ozdok botnet... Mega-D is one of the largest spamming botnets, and at one time could send 10 billion spam messages a day. But even with the legal actions taken against the spammers both by the FTC and authorities in New Zealand, the botnets that pumped out the spam are still standing..."
* http://www.ftc.gov/opa/2008/10/herbalkings.shtm
October 14, 2008