Pandemic of the botnets 2008

[AplusWebMaster]

FYI...

- http://www.secureworks.com/research/threats/warezov/
10/15/08 - "...as of 2008, it appears Warezov is back in the spamming business - but operating differently this time... Warezov was historically spread via email attachments, however that activity has also largely ceased. These days, executable attachments via email are almost universally blocked. Most botnet operators have switched to installing via browser/plugin exploits or social engineering. Warezov is no different. Only a few days ago, we saw Warezov being spread through a site advertising free MP3s via download of a P2P program. No exploits were used here, just social engineering. The user has to choose to install the software, which is simply the Warezov trojan... Like many botnets, Warezov is really a payload delivery system. It can install any software the botnet operator wishes. Since the end of the stock spamming activity, Warezov has mainly served as a "fast-flux" hosting platform... Warezov accomplishes this activity by installing two components: a reverse HTTP proxy that serves the content from a hidden master server, and a DNS server which is actually a customized installation of the popular ISC BIND software compiled for Windows. Each DNS server acts as a slave which gets zone updates from the hidden master server... Regardless of what methods are in use, spam is not going away any time soon. There is clearly too much money involved in spam and as a result, botnets... Despite indictments that may exist in the U.S., there are too many obstacles, both technical and political, that make it nearly impossible to get Russian botmasters arrested..."
(Screenshots available at the URL above.)

- http://asert.arbornetworks.com/2008/...n-aka-warezov/
October 17, 2008

- http://www.darkreading.com/document....798&print=true
October 13, 2008 - "...SecureWorks* says Srizbi remains the largest botnet, followed closely by Rustock, Ozdok, and Cutwail, which range from a minimum of 150,000 to upwards of 300,000 bots..."
* http://www.secureworks.com/research/...eat=topbotnets
April 8, 2008

[AplusWebMaster]

FYI...

- http://www.pcworld.com/printable/art...printable.html
October 28, 2008 - "...Much like the bot software they install, SQL injection and similar Web attacks force victim sites to do their bidding. And they have a growing number of holes to target: In 2007 one security company, SecureWorks, found 59 flaws in applications that allowed for SQL injection attacks. So far in 2008, it has found 366... According to Joe Stewart, director of malware research at SecureWorks, for a would-be botnet criminal these Web exploit attacks are by far the preferred choice for distributing evil code... When IT workers and antivirus companies catch on to bot infections and clean them up, the crooks respond by infecting a new batch of PCs. "They're having to keep up these seeding campaigns to keep up their botnet size," Stewart says. Those seeding campaigns typically employ Web attacks that target outdated browser plug-ins and other vulnerable software. "Flash and RealPlayer [plug-ins] - those are the big ones," Stewart says. The attacks are often successful because it can be hard for users to know when a plug-in is old and susceptible, especially if it's so old as to predate automatic updates. The free Personal Software Inspector* (or PSI) from Secunia can make that task easier. It will scan for outdated software and also provide links to patches or updated versions..."
* http://secunia.com/vulnerability_scanning/online/

[AplusWebMaster]

FYI...

Secure Computing Q3 Internet Threats Report...
- http://www.securecomputing.com/pdf/S...Rprt-Oct08.pdf
October 28, 2008 - Some highlights:
• Acquisition of innocent machines via email and Web-based infections continued in Q3 at about the same pace measured in Q2, with over 5,000 new zombies created every hour.
• Top Five Malware Detections in Q3 – by Prevalence
1. The infection of legitimate Web sites continues to be the main venue for the most prevalent malware outbreaks. These infections are usually induced through SQL injection attacks...
2. Following closely is a new entry among top detections: "Trojan.Hijacker.Gen," is a new generic detection name for any malware that creates backdoor access to victim computers...
3. Although detected by virtually every anti-malware product, the NetSky worm... remains high in prevalence due to zombie machines that remain infected and continue to create email traffic years later.
4. Fourth place goes to another proactive detection for any malware that uses the "FSG" runtime-packer, which continues to be in widespread use. Runtime-packers are used to quickly create new variants of a malware family and hide their malicious intent under an obfuscation layer. It should be noted that these top four malware variants account for 70% of the detected malware today.
5. Another new entry, dubbed "HIDDENEXT.Worm.Gen", also covers the "Autoruns" worm that appeared on a digg.com entry this quarter. The "Autoruns" worm spreads through removable devices, such as USB sticks and mapped network drives. See http://www.trustedsource.org/blog/150/Digging-for-Worms for more information...
• Over the course of Q3 the TrustedSource reputation system was able to identify over 600 new Web sites that have been deployed and tagged with a malicious reputation prior to serving any malicious content. Identifying these Web sites proactively through the use of traffic analysis and examination of historical connections to criminal individuals or networks is now essential as they are increasingly used to deploy zero-day/zero-hour malware code that is not detected by the traditional signature-based, anti-malware products...

[AplusWebMaster]

FYI...

- http://www.sophos.com/security/blog/..._log_from=atom
16 November 2008 - "While the take-down of McColo received a lot of attention in the last few days, it seems not everyone was listening: the company came back online yesterday for a while thanks to TeliaSonera AB, a Swedish ISP that has a router in San Jose... Apparently those responsible for hooking up new customers at TeliaSonera don’t read security blogs. That said, the company does deserve props for its rapid response to complaints: I emailed their abuse@ address yesterday evening, received a reply a few hours later from Jimmy Arvidsson — the head of their security department — saying they were taking action to revoke the peering, and when I started work in Vancouver this morning McColo was down again. It’s great to see such a rapid result from a complaint to an ISP!... we were both too late to prevent the Rustock guys hurriedly pushing an update to at least some of their bots, switching them from McColo to a new host in Russia during the brief period of connectivity. Thus we should expect spam volumes to increase again soon (Rustock is estimated* to be capable of sending 30 billion spams per day), though how big an increase we’ll see depends largely on the number of zombie PCs the botnet’s controller was able to reach during McColo’s temporary resurrection. For now, though, volume on our spamtraps is still hovering around a quarter of what it was before the take-down..."
* http://en.wikipedia.org/wiki/Botnet#List_of_Botnets

[Mobeus]

It seems that it was GigLinx.com, a reseller of bandwith, that managed to hook up McColo thru Telias network. It is obvious that the time was carefully choosen by McColo when they went live. During the weekends most of the ISP:s have minimal staff and they hoped that it would have passed unoticed and it would take until Monday morning for GigLinx or Telia to act on this. Now they got disconnected by Telia somewhere around 1:30 pm GMT. Thats about 9 hours efter the first post on the NANOG list that McColo had resurrected. I think it's pretty fast acting from a telco on a sunday

http://www.spamhaus.org/news.lasso?article=640

[tashi]

I think it's pretty fast acting from a telco on a sunday

Better than appearing in the Washington Post Monday.

[AplusWebMaster]

FYI...

- http://www.secureworks.com/research/...vo-now-mccolo/
November 18, 2008 - "... The companies that were connected to Atrivo and McColo have severed those connections, removing the companies from the Internet... A number of other botnets, including Rustock, Srizbi, Pushdo and Ozdok had infrastructure hosted at McColo. It’s clear that this infrastructure remains in place... Other botnets will also be relocating their C&C servers. While most, if not all, will just pop up in another datacenter, the growing trend of upstream providers disconnecting nefarious hosting companies is encouraging. So far these companies have been US based. We’re now seeing early evidence that bot-herders are moving their C&C servers overseas. The next question is: will the Internet community be able to put pressure on those companies and their upstream providers to prevent the bot-herders from finding a new safe haven?"

[Mobeus]

There is a rather high knowledge about spam, malware (and other bad things) among the european operators so this shouldn't be a problem. And in some countries there is laws that prohibt this kind of activity. Sure there will always be some operators and countries that are in the grey zone. But it would not be a major problem compared to the sitiuation we have today.

[AplusWebMaster]

FYI...

- http://voices.washingtonpost.com/sec...d_to_rise.html
November 26, 2008 - "... The "Srizbi" botnet, a collection of more than half a million hacked PCs that were responsible for relaying approximately 40 percent of all spam sent worldwide, was knocked offline two weeks ago due to pressure from the computer security community. On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers. Turns out, Srizbi's authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates. With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there. According to FireEye*, a security company in Milpitas, Calif., that has closely tracked the botnet's actviity, a number of those rescue domains were registered Tuesday evening, apparently directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia..."
* http://blog.fireeye.com/research/200...-trun-now.html
2008.11.25 - "... The new Command and Control servers are located in Estonia, and the domains registered through a registrar in Russia... all SMTP servers that the sample tried to contact ended in .ru. One of these servers was the largest bank in Russia. This is yet another tie of Botnets to Russia..."

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2008/11...rns_from_dead/
26 November 2008 20:48 GMT - "...At time of writing, most of Srizbi's connection to the outside world had once again been severed, thanks to decisive actions taken to shut down servers located in Estonia. A single server located in Germany continued to host some nodes of the network, as researchers scrambled to get it shut down as well. "An onslaught of spam was certainly averted," said Alex Lanstein, a researcher at intrusion detection system prover FireEye, who has spent the past four weeks closely monitoring Srizbi. "Estonia stepped in in record time and kicked these guys off line"..."