Page 2 of 6 FirstFirst 123456 LastLast
Results 11 to 20 of 59

Thread: Pandemic of the botnets 2009

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Multiple botnets spread Valentine's Day SPAM/malware

    FYI...

    Multiple botnets spread Valentine's Day SPAM/malware
    - http://preview.tinyurl.com/azlcnw
    2009-02-11 - E-week.com "...Researchers at Marshal8e6* have seen three distinct campaigns from three different botnets, as well as spam attacks from botnets they have not yet identified. Most of the Valentine's Day-related spam is coming from Waledac, which appeared on the scene late in 2008. Security pros now believe the botnet is the work of the minds behind the infamous Storm botnet that made headlines in 2007. After being targeted by Microsoft's Malicious Software Removal Tool, Storm limped through most of 2008 before disappearing completely in September... In its place came Waledac, which emerged in December with a blended threat Christmas e-card campaign. Like Storm, Waledac uses a peer-to-peer connection model with fast-flux DNS (Domain Name System) hosting and encrypted communications. Today, researchers speculate that Waledac may comprise as many as 20,000 bots... In addition to Waledac, the Pushdo botnet and others have joined in with their own Valentine's Day campaigns..."
    * http://marshal.com/trace/traceitem.asp?article=870
    Last Reviewed: February 11, 2009 - "...Please be wary this Valentine’s day and err on the side of caution. Avoid opening Valentine’s day e-card messages unless you can clearly identify and trust the sender."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Conficker disruption...

    FYI...

    Joint Effort at Conficker Disruption
    - http://www.shadowserver.org/wiki/pmw...endar.20090212
    12 February 2009 - "Today Microsoft announced a cooperative effort that has been underway to actively disrupt and contain the Conficker worm outbreak. The Shadowserver Foundation is honored and pleased to be part of this effort which is truly the first of its type. This project brings together those organizations that can effect change at the domain level where the botnet traditionally anchors itself... If these domains can be identified, and have their DNS pointed to a friendly server instead of the C&C, you accomplish several good things. First, you've essentially crippled the botnet, and second you're now able to identify all the infected drones trying to connect to the C&C since they are now attempting connections to that friendly server. Shadowserver has employed various processes to identify the domain names, act as that friendly server, and enumerate the orphaned drones. We add this data to our freely distributed report process which notifies the appropriate network operators that there are infected machines on their network. In the case of Conficker/Downadup, we've actually been watching this for some time, and playing the role of a 'friendly' server for over a month... We at Shadowserver are very hopeful that this effort is foundational, one that will gain traction and attention from those organizations that can make a difference. The issue now is truly global. The botnet scourge is monumental. It requires worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to this effort and in working with other groups dedicated to improving the safety of the Internet..."

    - http://www.microsoft.com/Presspass/p...nfickerPR.mspx
    Feb. 12, 2009

    - http://preview.tinyurl.com/aaoefb
    02-12-2009 Symantec Security Intel Analysis Team

    - http://preview.tinyurl.com/ah9neb
    February 12, 2009 (Computerworld)

    Third party information on conficker
    - http://isc.sans.org/diary.html?storyid=5860
    Last Updated: 2009-02-13 06:45:53 UTC - "(This will be updated as more information becomes public)... Removal Instructions, Removal Tools..." etc.

    - http://atlas.arbor.net/briefs/index#847040090
    February 13, 2009 - "Microsoft has announced that it has been working with various industry partners, Arbor Networks included, to thwart the use of the domain names generated by the Conficker worm to block the attacker from making updates to the worm. Sinkholes are being coordinated to identify infected hosts and to share the data with the necessary parties, as well.
    Analysis: This is an unprecedented move and should help keep the worm from growing into a larger problem. The worm continues to spread and the population has grown to as many as 12 million or more..."

    Last edited by AplusWebMaster; 2009-02-16 at 03:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry MS08-067 - Conficker B++ released...

    FYI...

    - http://mtc.sri.com/Conficker/#fig-libemu
    Last Update: 21 February 2009 - "...the Conficker authors have released a variant of Conficker B, which significantly upgrades their ability to flash Conficker drones with Win32 binaries from any address on the Internet. Here, we refer to this variant as Conficker B++... On Feb 16, 2009, we received a new variant of Conficker. At a quick glance, this variant resembles Conficker B. In particular, it is distributed as a Windows DLL file and is packed similarly. Furthermore, dynamic analysis revealed that this domain generation algorithm was identical to that of Conficker B. Hence, we initially dismissed this as another packaging of Conficker B. However, deeper static analysis revealed some interesting differences. Overall, when we performed a comparative binary logic analysis (see Appendix 2 - Horizontal Malware Analysis) comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. In particular, we found that out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added..."

    Appendix I: Conficker Census
    - http://mtc.sri.com/Conficker/#appendix-1

    Appendix 2 - Horizontal Malware Analysis
    - http://mtc.sri.com/Conficker/HMA/index.html

    - http://blogs.technet.com/mmpc/archiv...tionality.aspx
    February 20, 2009 - "... Future versions of the MSRT will detect this sample as Worm:Win32/Conficker.C* while the MSRT which was released earlier this month detects it as Worm:Win32/Conficker.B. The new sample has modifications which introduce new backdoor functionality. Previous versions of Conficker patched netapi32.dll in memory to prevent further exploitation of the vulnerability addressed by bulletin MS08-067. We’ve discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload. The payload only executes if it is successfully validated by the malware. However, there doesn’t appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant. This change may allow the author to distribute malware to machines infected with this new variant. This might be a response to the fact that they no longer have the ability to register many of the Conficker domains... note that this is a polymorphic threat..."
    * http://www.microsoft.com/security/po...%2fConficker.C

    Last edited by AplusWebMaster; 2009-02-25 at 04:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Waledac coupon campaign & updated Domain List

    FYI...

    Waledac coupon campaign & updated Domain List
    - http://www.shadowserver.org/wiki/pmw...endar.20090302
    March 02, 2009 - ".... The domains are kept updated at the following URL:
    http://www.shadowserver.org/wiki/upl...ac_domains.txt
    Waledac Domain List - Updated 03-01-2009...
    We have also introduced a new URL which is all of the Waledac domains in alphabetical order with no comments or anything else. It currently has 143 domains on it and can be reached via the following URL:
    http://www.shadowserver.org/wiki/upl...ledac_list.txt
    These should both be updated at the same time from now on as we add new ones to the list. Please use the domains as you see fit for detecting malicious activity and proactive blocking...
    New Theme & Exploits
    In the last week or so too, you may have noticed that Waledac recently moved to a new theme about the Economic Crisis and having downloadable coupons. This is just the latest social engineering lure to attempt to get users to install the trojan on their system. Additionally, for some time now, Waledac has been linking to exploit code that it hosts itself. Lately the domain involved seems to frequently be "chatloveonline .com" with an iframe pointing to it and the URL "/tds/Sah7". So be on the lookout and don't visit Waledac domains to avoid the exploits."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Conficker variant - new domain algorithm generates 50,000-a-day...

    FYI...

    Conficker variant - new domain algorithm generates 50,000-a-day...
    - http://preview.tinyurl.com/aegncn
    03-06-2009 (Symantec Security Response Blog) - "Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has today resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants* of Downadup, Symantec is calling this new variant W32.Downadup.C. Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines. It is targeting antivirus software and security analysis tools with the aim of disabling them... Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes... The most effective step that organizations and end users can take is to ensure that their computers have up-to-date antivirus software and patches."

    * https://forums2.symantec.com/t5/Mali...nt/ba-p/391186
    02-23-2009 - "... new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C... one could categorize Downadup into three variants..."

    W32.Downadup.C
    - http://www.symantec.com/business/sec...852-99&tabid=2
    Updated: March 6, 2009 10:38:28 PM
    Updated: March 7, 2009 5:30:25 PM
    Updated: March 8, 2009 9:23:42 AM
    Updated: March 11, 2009 4:12:59 PM
    Type: Trojan, Worm
    Infection Length: 88,576 bytes
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

    Last edited by AplusWebMaster; 2009-03-11 at 22:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Conficker variant new domain algorithm generates 50,000-a-day...

    FYI...

    - http://blog.trendmicro.com/new-downa...tes-more-urls/
    Mar. 11, 2009 - "... yet another variant of the infamous DOWNAD family... DOWNAD (also known as Conficker) is one of the more destructive outbreak worms in the Web threat era, with numbers matching that of giant botnets Storm and Kraken... The two earlier DOWNAD worms, as of this month, has already infected a million PCs based on Trend Micro’s World Virus Tracking Center... Security researchers estimate the global infection at around nine million PCs... added features include the increased number of generated domains, from the earlier the 250 generated by the earlier variants to 50,000. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet... blocking these domains is almost impossible not only because of the daily volume, but also because there is a high possibility legitimate domain collisions where DOWNAD generates domains already in use by legitimate entities. Like the other DOWNAD worms, this new variant also blocks access to antivirus-related sites, as well as terminates security tools..."

    W32.Downadup.C
    - http://www.symantec.com/business/sec...852-99&tabid=2
    Updated: March 11, 2009 - "... If the date and time is on or after 1st April 2009, it uses the date information to generate a list of domain names..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Conficker C analysis

    FYI...

    Conficker C analysis
    - http://mtc.sri.com/Conficker/addendumC/
    Last Update: 19 March 2009 - "...One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services. We provide an in-depth analysis of Conficker's Security Product Disablement logic* ... Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world... C then installs several in-memory patches to DLLs, and embeds other mechanisms to thwart security applications that would otherwise detect its presence. C modifies the host domain name service (DNS) APIs to block various security-related network connections (Domain Lookup Prevention), and installs a pseudo-patch to repair the 445/TCP vulnerability, while maintaining a backdoor for reinfection (Local Host Patch Logic). This pseudo patch protects the host from buffer overflows by sources other than those performed by the Conficker authors or their infected peers. Like Conficker B, C incorporates logic to defend itself from security products that would otherwise attempt to detect and remove it. C spawns a security product disablement thread. This thread disables critical host security services, such as Windows defender, as well as Windows services that deliver security patches and software updates. These changes effectively prevent the victim host from receiving automated software updates. The thread disables security update notifications and deactivates safeboot mode as a future reboot option. This first thread then spawns a new security process termination thread, which continually monitors for and kills processes whose names match a blacklisted set of 23 security products, hot fixes, and security diagnosis tools..."
    * http://mtc.sri.com/Conficker/addendu...uctDisablement

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow Conficker Removal Tools - updated

    FYI...

    Third party information on Conficker
    - http://isc.sans.org/diary.html?storyid=5860
    Last Updated: 2009-03-30 18:34:41 UTC ...(Version: 4)
    (See "Removal Tools")

    Last edited by AplusWebMaster; 2009-03-31 at 13:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Updates on Conficker....

    FYI... a few updates on Conficker. Currently, some AV's are "Scanning for 1,328,914 virus strains and unwanted programs...". Conficker is just a few of them.

    - http://www.secureworks.com/research/...il-fools-hype/
    March 27, 2009 - "... If you’re reading this, you’re probably not infected with Conficker.C. If you were already infected, you wouldn’t be able to access any page on secureworks.com, due to the worm author’s apparent dislike for the removal instructions we posted for earlier Conficker variants..."

    - http://blogs.technet.com/msrc/archiv...nficker-d.aspx
    March 27, 2009

    - http://www.f-secure.com/weblog/archives/00001636.html
    March 26, 2009

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Conficker removal tool...

    FYI...

    - http://windowssecrets.com/comp/090330#story1
    2009-03-30 - "... Conficker.C interferes with access to sites containing the following strings (as well as scores of other strings not shown here) in any portion of the URL:
    antivir ca. cert. conficker f-secure kaspersky mcafee
    microsoft msdn. msft. norton panda safety.live sans.
    symantec technet trendmicro windowsupdate

    ... the only people who can access the Conficker removal tools these writers recommend are people whose PCs are -not- infected with Conficker.C... BitDefender has set up a new domain from which users can download free Conficker disinfectant utilities..."
    - http://www.bdtools.net/how-to-remove-downadup.php

    Last edited by AplusWebMaster; 2009-03-31 at 05:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •