Page 4 of 6 FirstFirst 123456 LastLast
Results 31 to 40 of 59

Thread: Pandemic of the botnets 2009

  1. #31
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pirated Windows 7 comes with trojan - botnet

    FYI...

    - http://www.darkreading.com/shared/pr...leID=217400548
    May 12, 2009 - "A pirated version of the new Windows 7 operating system release candidate that has been circulating around the Internet is also building out a botnet. The rogue OS, which is rigged with a Trojan downloader*, at one point had around 27,000 bots in its control as of May 10, when researchers took over the command and control server that communicated with the bots and served them additonal malware. At the height of the botnet buildup, the botmaster was recruiting over 200 machines an hour... Damballa researchers on Sunday grabbed control of the C&C domain, but they say this is likely just one of many versions of rogue Windows 7 OS... Damballa's Cox says most traditional antivirus software is unable to detect the pirated Windows 7 Trojan because the OS itself is infected and most AV solutions don't yet support Windows 7..."
    * http://blog.trendmicro.com/cybercrim...-windows-7-rc/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #32
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pushdo botnet - recent findings

    FYI...

    - http://blog.trendmicro.com/pushdocut...t-of-spamming/
    May 12, 2009 - "... One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide... One of the latest batches contains an executable which displayed popup ads to the user, most probably from an advertiser who paid good money for the mass-deployment of their software. The only component that is always present is the spamming engine, which some antivirus vendors have dubbed as Cutwail..."

    - http://blog.trendmicro.com/pushdocut...e-part-2-of-5/
    May 13, 2009 - "... The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area. Like other spam botnets Pushdo’s spamming component, known as Cutwail, sends spam in waves, each advertising a particular service. Normally these consist of porn, pharmacy spam etc – but it was when we started to see ads for Salsa classes and Construction services that we became really interested... As part of our research we contacted the gang on one of the numbers they provided, posing as a potential customer of their spamming services. As customer service satisfaction goes these guys were very helpful, providing us with bank account details that we could pay them through, and even offering to pick up the money in person if we were based in Moscow. On top of that they would throw in a free website design to promote our business, and offered to craft their “advertising mail services” (that’s unsolicited spam to you and me) to best avoid anti-spam signatures..."

    (Screenshots available at both URLs above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #33
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation The "Finjan botnet"...

    FYI...

    - http://www.secureworks.com/research/...-trojan-trail/
    May 12, 2009 - "... The "Finjan botnet" appears to be large... credit to FireEye for trying to track down the Finjan Botnet that Finjan first reported on. Reading through the Finjan and FireEye write-ups, one is able to reconstruct the trail and also discover the path taken. We can see two major types of Trojans that play a part in this. We have the VBInject Trojan and the AutoIt Trojan... There are two servers on the same network to which -VBInject- phones home: x.x.62.2 and x.x.21.186. The server at x.x.21.186 is no longer responsive and appears down at this time. The server at x.x.62.2 is still up and DNS still responds with that IP address for the domain name used in these attacks. If you actually try to browse to that domain though, you will not arrive at this server. As you can see from reading the FireEye article, the Trojan phones home to /ldr/loadlist.php. It downloads more malware from /ldr/dl/. One of the Trojans it downloads is -AutoIt-... This is the AutoIt Trojan phoning home and the response is to download around 15 pieces of malware...
    As you can see by following the trail, gone are the days where you have just one Trojan infection. When you become infected today, it is best to just do a complete reformat of your machine instead of trying to recover it, because you really don’t know how many infections you have. I have read plenty of articles where someone cleans their machine and they think everything is fine only to find more malware days to weeks later.
    There is not any perfect AV tool; there is no perfect solution for any one problem. Your best defense is to practice what is called defense in depth and to only go to known websites. Don’t open mail from people you don’t know and be careful opening attachments from people that you do know. Update your OS and software regularly, including AV. Just having AV does not mean that you are protected; you also have to keep it updated."
    • FireEye Blog - http://blog.fireeye.com/research/200...b-part-ii.html
    • Finjan article - http://www.finjan.com/MCRCblog.aspx?EntryId=2237
    • Prevx shows ZCHMIB.EXE - http://www.prevx.com/filenames/15216...CHMIB.EXE.html
    • ThreatExpert shows TDSS/Seneka activity - http://www.threatexpert.com/report.a...e7dc62554318ac

    (More detail and screenshots available at the Secureworks URL above.)

    // http://forums.spybot.info/showpost.p...6&postcount=25
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Conficker continues to spread

    FYI...

    Conficker continues to spread
    - http://viewfromthebunker.com/2009/05...ues-to-spread/
    May 20, 2009 - "... the Symantec threat intelligence team estimates there are 50,000 newly infected PCs a day right now... the US, Brazil and India top the charts."

    (Chart available at the URL above.)

    - http://isc.sans.org/diary.html?storyid=5860

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #35
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Golden Cash botnet

    FYI...

    Golden Cash botnet
    - http://www.finjan.com/MCRCblog.aspx?EntryId=2281
    June 17, 2009 - "... A user visits a legitimate compromised website which contains malicious Iframe. This Iframe causes the victim’s browser to pull the exploit code from a server armed with the exploit toolkit. Upon successful exploitation, a special build of a Trojan, created for the attacker, is being pulled from Golden Cash server. Once installed, the Trojan reports back to the Golden Cash server and the attacker’s account at Golden Cash is credited with currency. The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP-grabber (to steal FTP-credentials). Our research found about 100,000 stolen FTP-credentials on the Golden Cash server. The victim’s machine is now in a pool of infected machines controlled by Golden Cash and being auctioned to other criminals, using a different website for buyers. From time to time, the victim’s machine gets instructions to install malware on behalf of the criminal-customer. The Trojan on the victim machine reports back to Golden Cash on each successful installation of the customer’s malware and the criminal-customer account is charged with currency. The victim machine is back in the ‘available for more infections’ pool.... the botnet spreads using distributors. For each distributor, a special bot build is created. The special build assists the cybercriminal to track the installations of each distributor... Some of the stolen FTP-credentials were used to inject malicious Iframe to the webpages that were stored on the FTP server. The reason for this was to infect more machines and generate organic growth. The C&C server is hosted in Texas, US; the registrant country is China. The “proxy’ website that tunnels traffic to the C&C server is hosted in Krasnodar, Russia."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #36
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM - from Waledac...

    FYI...

    SPAM - from Waledac...
    - http://www.eset.com/threat-center/blog/?p=1285
    July 7, 2009 - "... After 4th July, we have noticed an increase in the number of emails in circulation, and this week will be even more active. We believe that, like other campaigns, this one will last at least 15 days. However, what many readers may be wondering is why Waledac was “asleep” so many months. The reality is that the Trojan wasn’t spreading at that point. However, the botnet that was built with Waledac, remained as active as ever; working mainly to achieve their most important goal: to send spam. At ESET Latinamerica’s Laboratory, we made some tests to enable us to share information with users that shows the importance of staying uninfected: if my computer is infected with Waledac, how much spam does it send? We infected a computer in the laboratory with one of the Waledac trojans...
    After that, we used a tool to monitor network traffic to see how many emails were sent by the botnet, since the system became infected . We made an initial measurement in 4 stages over a period of one hour (at different times of day), and the results were as follows:
    • Stage 1: between 18:00 and 19:00 hs. 6968 emails were sent
    • Stage 2: between 20:30 and 21:30 hs. 7148 emails were sent
    • Stage 3: between 10:00 and 11:00 hs. 5610 emails were sent
    • Stage 4: Between 13:00 and 14:00 hs. 6568 emails were sent
    Taking the average of emails sent per hour (6548 emails), it is estimated that an infected computer can send about 150,000 emails a day. To be even clearer, that represents nearly two emails per second... If we consider that the network is estimated to consist of at least 20,000 infected computers, it can be seen that the botnet has a theoretical spam-sending capacity of 3 billion emails daily... many users will now understand why their computers work so slowly when their systems are infected..."

    Last edited by AplusWebMaster; 2009-07-09 at 04:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #37
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malware authors exploiting Conficker

    FYI...

    - http://www.techworld.com/security/ne...?newsID=119223
    15 July 2009 - "Creators of Waledac malware have used the Conficker botnet as a tool to spread malware of their own, marking the first time Conficker was made available for hire, according to Cisco. Writing in its mid-yearly security report*, Cisco said that this was symptomatic of a wider trend of malware purveyors using established business practices to expand their illegal enterprises. Cisco likened the arrangement between Waledac and Conficker to a partner ecosystem, a term Cisco uses to describe its collaboration with other vendors. Waledac used the Conficker distribution channel to send spam and to expand its own botnet... Web sites that are infected to download malware to unsuspecting visitors will increase, the report predicted. These sites represent nearly 90 percent of all web-based threats, the report says. Creation of botnets would be a particular goal of this type of malware..."
    * http://www.cisco.com/en/US/prod/vpnd...ty_report.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #38
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Botnet money...

    FYI...

    Botnet money...
    - http://www.viruslist.com/en/analysis?pubid=204792068
    July 22, 2009 - "In the past ten years, botnets have evolved from small networks of a dozen PCs controlled from a single C&C (command and control center) into sophisticated distributed systems comprising millions of computers with decentralized control. Why are these enormous zombie networks created? The answer can be given in a single word: money. A botnet, or zombie network, is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. Zombie networks have become a source of income for entire groups of cybercriminals. The invariably low cost of maintaining a botnet and the ever diminishing degree of knowledge required to manage one are conducive to growth in popularity and, consequently, the number of botnets... Botnet owners or developers who have been prosecuted can be counted on the fingers of two hands. Which is not the case with botnets that are live on the Internet: the number of these has exceeded 3600... Without help from users, combating botnets cannot be effective. It is home computers that make up the lion’s share of the enormous army of bots. Neglecting to stick to simple security rules, such as using antivirus software, using strong account passwords and disabling the AutoPlay feature for removable media, can result in your computer becoming another botnet member, providing cybercriminals with your data and resources..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #39
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Twitter-based botnet command channel

    FYI...

    Twitter-based botnet command channel
    UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE
    - http://asert.arbornetworks.com/2009/...mmand-channel/
    August 13, 2009 - "While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation. The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates. As for the original bot in question that fetches the updates, here’s the VirusTotal analysis*, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them...
    UPDATE 14 Aug 2009 - Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil..."

    (More detail at the URL above.)

    * http://www.virustotal.com/analisis/6...139-1249801350
    File 40d09b7d94da70ede50866c55f48613c-2358.txt received on 2009.08.09 07:02:30 (UTC)
    Result: 19/41 (46.34%)

    * http://www.virustotal.com/analisis/1...11e-1250187288
    File gbpm.exe received on 2009.08.13 18:14:48 (UTC)
    Result: 9/41 (21.95%)

    - http://www.symantec.com/connect/blog...tering-botnets
    August 14, 2009

    Infostealer.Bancos heatmap
    - http://www.symantec.com/connect/imag...4211/_original

    - http://www.symantec.com/connect/blog...g-and-prophecy
    August 16, 2009 - "... A new variant of this threat has emerged that uses not only Twitter but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B*. Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the RSS feed from an account registered on Jaiku .com to obtain the location of remote files..."
    * http://www.symantec.com/business/sec...537-99&tabid=2
    Discovered: August 16, 2009 = "... may be saved as the following files:
    %Temp%\[SET OF RANDOM NUMBERS]\gbpm.exe
    %Temp%\[SET OF RANDOM NUMBERS]\gbpm.dll
    %Temp%\[SET OF RANDOM NUMBERS]\update.exe (copy of gbpm.exe) ..."

    Last edited by AplusWebMaster; 2009-08-17 at 12:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #40
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Ilomo botnet - All your info are belong to us

    FYI...

    Ilomo botnet - All your info are belong to us
    - http://blog.trendmicro.com/all-your-...-belong-to-us/
    August 24, 2009 - "... Ilomo has (been) active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries. Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware... Ilomo ‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection..."

    (Screenshot available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •