Page 3 of 6 FirstFirst 123456 LastLast
Results 21 to 30 of 59

Thread: Pandemic of the botnets 2009

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS08-067 exploit in the wild

    FYI...

    Third party information on conficker
    - http://www.dshield.org/diary.html?storyid=5860
    Last Updated: 2009-04-11 18:15:39 UTC ...(Version: 9) <<<
    (See "Removal Tools")

    Conficker Eye Chart
    - http://www.confickerworkinggroup.org...feyechart.html
    04.01.2009 - (See: "Explanation" at bottom of page there)

    Last edited by AplusWebMaster; 2009-04-22 at 19:32. Reason: Removal Tools updated...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS08-067 exploit updated...

    FYI...

    - http://preview.tinyurl.com/dl3pz9
    04-08-2009 Symantec Security Response Blog - "We have come across a system infected with W32.Downadup.C that has provided some interesting information. We discovered some similarly named files, 484528750.exe and 484471375.exe, which had shown up in the \Windows\temp folder within one minute of each other. These files turned out to be W32.Waledac and a modified W32.Downadup variant, respectively..."

    - http://www.viruslist.com/en/weblog?weblogid=208187654
    April 09, 2009 Kaspersky blog - "The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files... once again it’s a worm, and it’s only functional until 3rd May... One of the files is a rogue antivirus app... The first version of Kido, detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009 .com., spywrprotect-2009 .com, spywareprotector-2009 .com... Once it’s run, you see the app interface, which naturally asks if you want to remove the threats it’s “detected”. Of course, this service comes at a price - $49.95... At the moment, the rogue antivirus comes from sites located in Ukraine (131-3.elaninet .com.78.26.179.107) although Kido is downloading it from other sites. The latest version of Kido also downloads Email-Worm.Win32.Iksmas.atz to infected systems. This email worm is also known as Waledac, and is able to steal data and send spam... Both Kido and Iksmas are now present on infected machines and part of the gigantic botnet designed to conduct spam mailings..."
    (Screenshots available at the viruslist/Kaspersky URL above.)

    - http://www.f-secure.com/weblog/archives/00001652.html
    April 9, 2009

    - http://asert.arbornetworks.com/2009/...-the-internet/
    April 9, 2009

    Last edited by AplusWebMaster; 2009-04-10 at 19:03. Reason: Added F-secure and ATLAS blog links...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New Waledac variant in the wild

    FYI...

    New Waledac variant in the wild
    - http://securitylabs.websense.com/con...erts/3343.aspx
    04.16.2009 - " Websense... has detected a new Waledac variant in the wild being distributed via email since yesterday. The new campaign uses a theme whereby the user is enticed to download an application that will permit them to view other people's SMS messages online. The download file uses alternating filenames, including sms.exe, freetrial.exe, and smstrap.exe. ThreatSeeker has identified thousands of spam emails using this theme. Not all major antivirus vendors are currently detecting this threat..."

    Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
    - http://www.shadowserver.org/wiki/pmw...endar/20090416
    16 April 2009

    - http://blog.trendmicro.com/new-waled...ping-software/
    Apr. 16, 2009

    - http://www.f-secure.com/weblog/archives/00001658.html
    April 16, 2009

    (Screenshots available at all URLs above.)

    Fake SMS Reader Spam in Russian Language: Malicious Web Site / Malicious Code
    - http://securitylabs.websense.com/con...erts/3344.aspx
    04.16.2009

    - http://blog.trendmicro.com/online-ca...s-and-waledac/
    Apr. 15, 2009 - "... Waledac updated its spam emails and is now spamming online casino advertisements..."
    (Screenshots available at the TrendMicro URL above.)

    Last edited by AplusWebMaster; 2009-04-17 at 20:18. Reason: Added Shadowserver and TrendMicro links...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down WALEDAC’s latest Spamming fetish

    FYI...

    WALEDAC’s latest Spamming fetish
    - http://blog.trendmicro.com/waledac%E...amming-fetish/
    Apr. 21, 2009 - "WALEDAC has found a new fetish — spamming users with email messages on free foot fetish movies... clicking the link in the spammed email redirects users to websites featuring foot fetish videos. WALEDAC is notorious for employing various social engineering techniques that leads users to a series of malware infections. This being the third of the recent WALEDAC spam runs we’ve seen, its quite safe to assume we’ll be seeing more of this runs in the near future."
    (Screenshots available at the URL above.)

    - http://www.shadowserver.org/wiki/pmw...endar/20090421
    21 April 2009

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation New botnet found - 1.9M bots...

    FYI...

    New botnet found - 1.9M bots
    - http://www.finjan.com/MCRCblog.aspx?EntryId=2237
    Apr 22, 2009 - "... recent discovery of a network of 1.9 million infected computers controlled by cybercriminals... We found that the botnet’s command and control server is hosted in Ukraine. As folders on this server were left open, we were able to get more information for our research. The server has a nice backend management application making it easy for the attackers to manage the infected machines. One of the management console features that we identified is a Command Editing panel through which instructions are sent to the infected machines (bots). We have seen commands asking the bots to download and execute additional malware, download settings files, apply update files etc... This command instructs the bot on the infected computers to download and execute a Trojan horse... only 4 out of 39 Anti-Virus products detected this Trojan... The description field of this command led us to a hacker’s forum in Russia with a post requesting to trade in infected computers... (Another) command instructs the infected machines to download and execute a Trojan horse that later installs a group of other malicious executables without the user’s consent... Overall, the cybergang can remotely execute anything it likes on the infected computers. The log file on the server disclosed the IP addresses of the infected computers and their names in the network..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Gov systems found on 1.9m zombie botnet

    FYI...

    Gov systems found on 1.9m zombie botnet
    - http://www.theregister.co.uk/2009/04...botnet_server/
    22 April 2009 - "... cybercrooks collectively compromised computers in 77 government-owned domains (.gov) from the UK, US and various other countries. The malware that featured in the attack allowed hackers complete control of compromised PCs, nearly all of which were running Windows XP. A variety of malicious actions, from reading emails to copying files, keystroke logging, and spam distribution were all possible. Since discovering the botnet, Finjan has supplied information to the server to UK and US law enforcement agencies. The command server is now out of commission. Finjan has informed affected corporate and government agencies about infected computer names, in a move that will hopefully result in a clean-up operation..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Tracking Spam Botnets...

    FYI...

    Tracking Spam Botnets...
    - http://www.marshal8e6.com/trace/bot_statistics.asp
    April 12, 2009 - "...spamming botnets are constantly in flux. Botnets morph, become obsolete, replaced, taken down, and upgraded. One thing is clear, a mere handful of botnets are responsible for the bulk of all spam sent. This page pulls together some of the results of our latest research, highlighting details about some of the most notorious spamming botnets..."
    (Graphs and more detail available at the Marshal URL above.)

    - http://www.theregister.co.uk/2009/04...et_speed_test/
    23 April 2009 - "... Xarvester and Rustock threw off the most junk mail, 25K messages an hour or the equivalent of 600K spams a day. The data on spam rates was harvested from a wider research project into botnets run by Marshal8e6 over the last two years..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnet probe finds 70GB of data...

    FYI...

    Botnet probe turns up 70GB of personal, financial data
    - http://preview.tinyurl.com/cmzd68
    May 4, 2009 (Computerworld) - "...it steals personal and financial data. The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as e-mail passwords and online banking credentials. The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions... Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers. The researchers stored the data and are working with law enforcement agencies such as the U.S. Federal Bureau of Investigation, ISPs and even the U.S. Department of Defense to notify victims... Torpig/Sinowal can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers. Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack... The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007. Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted. Mebroot can also download other code to the computer. Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said*. If a person goes to a banking Web site, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.... Web sites using SSL (Secure Sockets Layer) encryption are -not- safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted..."
    * http://www.cs.ucsb.edu/~seclab/proje...pig/index.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down McAfee: 12M added to botnets Q1-2009

    FYI...

    McAfee: 12M added to botnets Q1-2009
    - http://newsroom.mcafee.com/article_d...rticle_id=3515
    May 05, 2009 - "... cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008... Cybercriminals are building an army of infected, “zombie” computers to recover from last November’s takedown of a central spam-hosting ISP...
    Other Key Findings:
    • The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone
    • Servers hosting legitimate content have increased in popularity with malware writers to distribute malicious and illegal content
    • Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their location
    • Compared to the overall landscape, the Conficker worm represents a small subset of all threat reports. Autorun malware, a vector used by certain Conficker variants, represented only 10% of all detections reported during the first quarter.
    To view the full report, please visit: http://www.mcafee.com/threatsreport ."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnet self-destructs - "Zeus" command

    FYI...

    Botnet self-destructs - "Zeus" command
    - http://voices.washingtonpost.com/sec...uclear_op.html
    May 7, 2009 - "... Hüssy oversees Zeustracker*, a Web site listing Internet servers that uses Zeus**, a kit sold for about $700 on shadowy cyber criminal forums to harvest data from computers infected with a password stealing Trojan horse program. One of Zeus's distinguishing features is a tool that helps each installation on a victim PC look radically different from the next as a means to evade detection by anti-virus tools. According to Hüssy, among Zeus's many features is the "kos" option, which stands for "kill operating system"... In early April, Hüssy began tracking a Zeus control server used to receive data stolen from a botnet of more than 100,000 infected systems, mostly located in Poland and Spain. While investigating this newfound Zeus control server, he noticed something unusual: the "kill operating system" had just been issued to all 100,000 infected systems. Hüssy said he has no idea why the botnet was destroyed... Currently, about one-third of the sites listed at Zeustracker are hacked or free Web services..."
    * https://zeustracker.abuse.ch/monitor.php?filter=online
    ** http://rsa.com/blog/blog_entry.aspx?id=1274

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •