Pandemic of the botnets 2009

[AplusWebMaster]

FYI... Please do NOT visit the sites mentioned in the article!

Russia: Opposition Websites and DDoS
- http://asert.arbornetworks.com/2009/...ites-and-ddos/
January 6, 2009 - "We’re again seeing reports about political DDoS targets within Russia. This time we saw it mentioned in the blog post Russian Opposition Websites Shut Down By Attacks* from the blog The Other Russia. And again we have data to support the claims. The site www .grani .ru has come under attack from two Black Energy botnets. One of them is well known to many of us, “candy-country .com”, and the other is relatively new on the scene, 22×2x2×22 .com. Both are hard at work with HTTP floods against the site.
Kasparov .ru is back in the news and again being targeted by Black Enegy botnets. 22×2x2×22 .com is striking the site, as well as the well known BE botnet ad .yandexshit .com.... the website of MSK radio, echo .msk .ru, is also under attack by these two botnets. Voices of dissent again being quieted by force.
At least some of these bots participated in the recent DDoS attacks between Russia and Georgia, but they’ve also struck non-political targets quite a bit in the past year or so. Escort sites, gambling sites, etc. Politics is a rough sport in Russia, and the use of DDoS to silence the opposition’s website shows the power of the web in getting a voice out, its value in being silenced, and possibly what’s to come in the future."
* http://preview.tinyurl.com/8nff8b

[AplusWebMaster]

FYI...

2008 H2 Fast Flux Data Analysis
- http://asert.arbornetworks.com/2009/...data-analysis/
January 8, 2009 - "... Comparison and Trends
We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. This could be due to them being negligent or completely subverted, but either way we’re not surprised to see a BizCN registration of a fluxy .CN domain name. We also think that this rapid growth in .CN as a fluxing TLD may be due to a fire sale of .CN domain registrations that occurred late in 2008.
The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs. As we noted in our paper earlier this year, by the middle of 2008 more TLDs were being used that had been seen in Thorsten’s previous paper. By the end of 2008 even more TLDs were in use. The long tail is getting longer, meaning more registrars have to be educated and empowered to response to abuse notices with takedowns.
2008 was a very big year for fast flux service hosting, and we’ll continue to see it in 2009. We’re working with more people to analyze such botnets and track their activities, and we’ll be reporting it here."
(Info charts available at the URL above.)

[AplusWebMaster]

FYI...

- http://voices.washingtonpost.com/sec...ll_we_get.html
January 13, 2009 - "The close of 2008 sounded the death knell for some of the most notorious spam networks on the planet. But already several new breeds of spam botnets - massive groups of hacked PCs used for spamming - have risen from the ashes, employing a mix of old and new tricks to all but ensure a steady flow of spam into e-mail boxes everywhere for many months to come... In its January Spam Report* (PDF), McAfee reports that while current spam levels have shown a significant increase in the last few weeks, they are still 40 percent lower than levels prior to the demise of McColo. Symantec, in its State of Spam report** (PDF) for January, says spam levels are now at 80 percent of their pre-McColo-shutdown levels."

* http://www.mcafee.com/us/local_conte...port_jan09.pdf

** http://eval.symantec.com/mktginfo/en...2009.en-us.pdf

- http://www.theregister.co.uk/2009/01...tnets_of_2009/
14 January 2009

Spam Botnets to watch in 2009
- http://www.secureworks.com/research/...at=botnets2009
January 13, 2009

- http://www.marshal.com/trace/traceitem.asp?article=843
January 12, 2009

[AplusWebMaster]

FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowserver.org/wiki/pmw...endar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowserver.org/wiki/upl...ac_domains.txt
Updated 01-21-2009

[AplusWebMaster]

FYI...

Full Waledac Domain Listing
- http://www.securityzone.org/?p=61
January 24, 2009 - "'Got the full list also being updated and posted on the Shadowserver website at the following URL:
http://www.shadowserver.org/wiki/upl...ac_domains.txt
Updated 01-25-2009 - 19:10 UTC

...Also, if you are interested in all things Waledac...
http://sudosecure.net/waledac/ "
Waledac Tracker Summary Data

- http://www.shadowserver.org/wiki/pmw...endar.20090124
January 24, 2009 - "...Add those to your block lists and do NOT visit them."

[AplusWebMaster]

FYI...

Kyrgyzstan Under DDoS Attack From Russia
- http://preview.tinyurl.com/dfdf84
January 28, 2009 Secureworks blog - "Since January 18, 2009, the two primary Kyrgyzstan ISPs (www .domain .kg, www .ns .kg) have been under a massive, sustained DDoS attack almost identical in some respects to those that targeted Georgia in August 2008. Few alternatives for Internet access exist in Kyrgyzstan. With just two smaller IPSs left to handle the load, these attacks from Russian IP address space have essentially knocked most of the small, Central Asian republic offline. Some believe that this is a way to silence rhetoric from a new and relative powerful opposition coalition whose primary aim is the removal of current government officials, especially Kyrgyz President Kurmanbek Bakiyev, and a break from the administrations policies. On the other hand, others think these attacks are part of a Russian campaign to pressure Kyrgyz President Kurmanbek Bakiyev to close US access to a key airbase, which intensified on the same day as the DDoS attacks. That airbase is a key resource in the war against Islamist militants in Afghanistan... The use of cyber militias puts distance between the Russian government and shelters the it from culpability for the peacetime use of information warfare tactics. There is often a combination of motives... With modern worms capable of quickly building 1+ million strong botnet armies, will we have countermeasures and contingency plans in place when the cross hairs lock-on to our own infrastructure?"

Russian 'cybermilitia' knocks Kyrgyzstan offline
- http://preview.tinyurl.com/akct9k
January 28, 2009 (Computerworld)

- http://atlas.arbor.net/
"...We are investigating ongoing DDoS issues in Kyrgyzstan..."
- http://atlas.arbor.net/summary/dos

[AplusWebMaster]

FYI...

Gumblar attacks spread to thousands of new sites
- http://threatpost.com/en_us/blogs/gu...w-sites-103009
October 30, 2009 - "Gumblar, the nasty bit of malware that was part of a mass SQL injection on legitimate Web sites this spring, is continuing to spread and its creators have been busy lately, compromising hundreds of new sites, leading to a massive new wave of infections of end-user PCs... In Gumblar's case, the iFrame redirection is the tactic of choice and it has been quite effective. In its original form Gumblar was redirecting victims to one of two remote sites, Gumblar .cn or Martuz .cn. The latest incarnation is pointing victims to thousands of servers in more than 200 countries that are now spreading Gumblar, according to research by Michael Molsner of Kaspersky Lab*. More than 7,200 servers spreading Gumblar are in the U.S., and many of the sites compromised around the globe are in the .gov and .edu domains. "Our accumulated data for one week showed 443748 access hits in total - and that is only a part of the whole incident. For several days after we noticed this new threat and added detection of the malicious files targeting Adobe Reader and Flash Player, there was surprisingly little talk about it in IT security circles. The 'new gumblar' took some time to get noticed more widely and _still_ seems unnoticed by many. However, it is very active indeed and as a side effect several PC vendors support lines have been flooded with queries about sudden reboots etc. There are also reports that machines infected with a buggy version of gumblar fail to boot completely, leaving the screen black and only the mouse pointer visible."
Experts say that many of the machines that have been infected with Gumblar and other similar pieces of malware often are re-infected once they've been cleaned as users don't realize that their browsers are vulnerable and that the seemingly safe sites they're visiting are in fact serving malware."
* http://www.viruslist.com/en/weblog?weblogid=208187886
October 30, 2009

- http://google.com/safebrowsing/diagn...te=gumblar.cn/
"... last time Google visited this site was on 2009-11-01, and the last time suspicious content was found on this site was on 2009-11-01... It infected 6073 domain(s)..."
- http://google.com/safebrowsing/diagn...ite=martuz.cn/
"... last time Google visited this site was on 2009-11-01, and the last time suspicious content was found on this site was on 2009-11-01... It infected 8328 domain(s)..."