Page 1 of 6 12345 ... LastLast
Results 1 to 10 of 59

Thread: Pandemic of the botnets 2009

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Pandemic of the botnets 2009

    FYI... Please do NOT visit the sites mentioned in the article!

    Russia: Opposition Websites and DDoS
    - http://asert.arbornetworks.com/2009/...ites-and-ddos/
    January 6, 2009 - "We’re again seeing reports about political DDoS targets within Russia. This time we saw it mentioned in the blog post Russian Opposition Websites Shut Down By Attacks* from the blog The Other Russia. And again we have data to support the claims. The site www .grani .ru has come under attack from two Black Energy botnets. One of them is well known to many of us, “candy-country .com”, and the other is relatively new on the scene, 22×2x2×22 .com. Both are hard at work with HTTP floods against the site.
    Kasparov .ru is back in the news and again being targeted by Black Enegy botnets. 22×2x2×22 .com is striking the site, as well as the well known BE botnet ad .yandexshit .com.... the website of MSK radio, echo .msk .ru, is also under attack by these two botnets. Voices of dissent again being quieted by force.
    At least some of these bots participated in the recent DDoS attacks between Russia and Georgia, but they’ve also struck non-political targets quite a bit in the past year or so. Escort sites, gambling sites, etc. Politics is a rough sport in Russia, and the use of DDoS to silence the opposition’s website shows the power of the web in getting a voice out, its value in being silenced, and possibly what’s to come in the future."
    * http://preview.tinyurl.com/8nff8b

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 2008 H2 Fast Flux Data Analysis

    FYI...

    2008 H2 Fast Flux Data Analysis
    - http://asert.arbornetworks.com/2009/...data-analysis/
    January 8, 2009 - "... Comparison and Trends
    We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. This could be due to them being negligent or completely subverted, but either way we’re not surprised to see a BizCN registration of a fluxy .CN domain name. We also think that this rapid growth in .CN as a fluxing TLD may be due to a fire sale of .CN domain registrations that occurred late in 2008.
    The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs. As we noted in our paper earlier this year, by the middle of 2008 more TLDs were being used that had been seen in Thorsten’s previous paper. By the end of 2008 even more TLDs were in use. The long tail is getting longer, meaning more registrars have to be educated and empowered to response to abuse notices with takedowns.
    2008 was a very big year for fast flux service hosting, and we’ll continue to see it in 2009. We’re working with more people to analyze such botnets and track their activities, and we’ll be reporting it here."
    (Info charts available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM bots - 2009...

    FYI...

    - http://voices.washingtonpost.com/sec...ll_we_get.html
    January 13, 2009 - "The close of 2008 sounded the death knell for some of the most notorious spam networks on the planet. But already several new breeds of spam botnets - massive groups of hacked PCs used for spamming - have risen from the ashes, employing a mix of old and new tricks to all but ensure a steady flow of spam into e-mail boxes everywhere for many months to come... In its January Spam Report* (PDF), McAfee reports that while current spam levels have shown a significant increase in the last few weeks, they are still 40 percent lower than levels prior to the demise of McColo. Symantec, in its State of Spam report** (PDF) for January, says spam levels are now at 80 percent of their pre-McColo-shutdown levels."

    * http://www.mcafee.com/us/local_conte...port_jan09.pdf

    ** http://eval.symantec.com/mktginfo/en...2009.en-us.pdf

    - http://www.theregister.co.uk/2009/01...tnets_of_2009/
    14 January 2009

    Spam Botnets to watch in 2009
    - http://www.secureworks.com/research/...at=botnets2009
    January 13, 2009

    - http://www.marshal.com/trace/traceitem.asp?article=843
    January 12, 2009

    Last edited by AplusWebMaster; 2009-01-17 at 15:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Waledac - new tactics & new domains...

    FYI...

    Inauguration Themed Waledac - New Tactics & New Domains
    - http://www.shadowserver.org/wiki/pmw...endar.20090119
    January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
    * http://www.shadowserver.org/wiki/upl...ac_domains.txt
    Updated 01-21-2009

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Full Waledac domain listing

    FYI...

    Full Waledac Domain Listing
    - http://www.securityzone.org/?p=61
    January 24, 2009 - "'Got the full list also being updated and posted on the Shadowserver website at the following URL:
    http://www.shadowserver.org/wiki/upl...ac_domains.txt
    Updated 01-25-2009 - 19:10 UTC

    ...Also, if you are interested in all things Waledac...
    http://sudosecure.net/waledac/ "
    Waledac Tracker Summary Data

    - http://www.shadowserver.org/wiki/pmw...endar.20090124
    January 24, 2009 - "...Add those to your block lists and do NOT visit them."

    Last edited by AplusWebMaster; 2009-01-26 at 12:59. Reason: List updated - again!
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Russian DDoS attack against Kyrgyzstan

    FYI...

    Kyrgyzstan Under DDoS Attack From Russia
    - http://preview.tinyurl.com/dfdf84
    January 28, 2009 Secureworks blog - "Since January 18, 2009, the two primary Kyrgyzstan ISPs (www .domain .kg, www .ns .kg) have been under a massive, sustained DDoS attack almost identical in some respects to those that targeted Georgia in August 2008. Few alternatives for Internet access exist in Kyrgyzstan. With just two smaller IPSs left to handle the load, these attacks from Russian IP address space have essentially knocked most of the small, Central Asian republic offline. Some believe that this is a way to silence rhetoric from a new and relative powerful opposition coalition whose primary aim is the removal of current government officials, especially Kyrgyz President Kurmanbek Bakiyev, and a break from the administrations policies. On the other hand, others think these attacks are part of a Russian campaign to pressure Kyrgyz President Kurmanbek Bakiyev to close US access to a key airbase, which intensified on the same day as the DDoS attacks. That airbase is a key resource in the war against Islamist militants in Afghanistan... The use of cyber militias puts distance between the Russian government and shelters the it from culpability for the peacetime use of information warfare tactics. There is often a combination of motives... With modern worms capable of quickly building 1+ million strong botnet armies, will we have countermeasures and contingency plans in place when the cross hairs lock-on to our own infrastructure?"

    Russian 'cybermilitia' knocks Kyrgyzstan offline
    - http://preview.tinyurl.com/akct9k
    January 28, 2009 (Computerworld)

    - http://atlas.arbor.net/
    "...We are investigating ongoing DDoS issues in Kyrgyzstan..."
    - http://atlas.arbor.net/summary/dos

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Asprox goes phishing again

    FYI...

    Asprox goes phishing again
    - http://www.shadowserver.org/wiki/pmw...endar.20090129
    29 January 2009 - "The first time around with Asprox, we saw a little bit of phishing. The question with any botnet is "how do they make money off of this?" Phishing is certainly one way. Renting your botnet out to a phishing organization is probably an even better way. Must less risk for you, Mr. Botnet Herder. Today we saw a template update to the drones... Once you fill in some details, your form is submitted to <asprox node>... then your browser is redirected to the homepage of the real bank site. With Asprox's template capabilities, I imagine we'll see more of this."

    (Screenshot and more detail available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Waledac botnet...

    FYI...

    Trojan: W32/Waledac
    - http://atlas.arbor.net/briefs/index#-47237018
    Severity: High Severity
    Published: Friday, January 30, 2009 14:30
    We have been tracking a new variant of the storm worm for the past month, approximately. This new version, dubbed Waledac, is a new rewrite of the Storm worm's engine but uses the same back end. Nodes are infected through malicious websites and join a P2P managed botnet using HTTP. Once infected, nodes send spam messages related to new infection lures and to pharmacy spam. The botnet also creates a fast flux service network.
    Analysis: This is a high severity threat and we have been working with various teams to help dissect the botnet. We do not anticipate that it will be resolved soon.
    Source: Trojan:W32/Waledac.gen - http://www.f-secure.com/v-descs/troj...edac_gen.shtml
    Source: Trojan:W32/Waledac.A - http://www.f-secure.com/v-descs/troj...aledac_a.shtml "

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy UkrTeleGroup shutdown...

    FYI...

    UkrTeleGroup shutdown...
    - http://news.softpedia.com/news/ISP-H...n-103400.shtml
    31 January 2009 - "UkrTeleGroup, a notorious ISP based in Ukraine, has been depeered by its uplink provider. In addition to the vast malicious activity originating from its address space, the ISP was also hosting the rogue DNS servers used by the Zlob (DNSChanger) family of trojans. Brian Krebs, journalist at The Washington Post, who also maintains the Security Fix blog, reports* that UkrTeleGroup Ltd. has been known to be involved in online criminal activity since as far back as 2005. As a result, security experts, from the likes of McAfee or the Internet Storm Center**, have recommended blocking all traffic from the IP block owned by the Ukrainian company. The Miami-based FPL FiberNet, which is part of the FPL Group, took the decision to terminate the contract with one of its customers, who was providing uplink to UkrTeleGroup, after receiving a complaint from its own service provider, including an inquiry from Mr. Krebs... The DNSChanger computer trojan comes in many variants, but all of them exhibit the same core concept of forcing the infected computers to use rogue DNS servers. These type of servers are used by computers to resolve domain names to IPs and the gang behind the trojan has proved particularly innovative in finding new ways to hijack them. While the original DNSChanger version was doing nothing more than modifying the Windows HOSTS file in order to override legit DNS responses, its latest mutations are capable of breaking into LAN routers and modifying their settings or hijacking DNS requests from wireless clients and poisoning the replies... Some researchers are pointing that the DNSChanger gang started migrating its servers away from the UkrTeleGroup to other more difficult to reach ISPs in Eastern European countries, such as Latvia, a month ago. But even so, the take down of UkrTeleGroup is bound to hinder the operations of other cyber criminal groups, who used its services to host phishing websites or malware distribution servers.
    This latest win for the security community comes after other similar efforts led to the shut down, in 2008, of Atrivo/Intercage, a hosting provider affiliated with the notorious Russian Business Network, or the depeering of the infamous McColo ISP, which served as home for the command and control servers of many of the world's largest spam-sending botnets. ICANN terminating the accreditation of the EstDomains, the favorite domain registrant of cyber criminals, represented an important victory as well."

    * http://voices.washingtonpost.com/sec...st_sideli.html

    ** http://isc.sans.org/diary.html?storyid=5434

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnet controllers for sale

    FYI...

    Botnet controllers for sale
    - http://sunbeltblog.blogspot.com/2009...-for-sale.html
    February 09, 2009 - "... Now, we see a development shop boasting about its work on malware. Sniffing around an iframedollars trojan, we saw a GET request to promake.me. This resulted in an additional trojan being downloaded..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •