Page 1 of 6 12345 ... LastLast
Results 1 to 10 of 52

Thread: Pandemic of the botnets 2010

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Pandemic of the botnets 2010

    FYI...

    Conficker worm - Akamai report
    - http://www.computerworld.com/s/artic...y_Akamai_says?
    January 15, 2010 - "Variants of the Conficker worm were still active and spreading* during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies... During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer. Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent..."
    * http://www.confickerworkinggroup.org...Tracking#toc12

    Conficker Working Group
    - http://www.confickerworkinggroup.org/wiki/

    > http://www.team-cymru.org/Monitoring/Graphs/

    - http://blog.trendmicro.com/where-in-...wnadconficker/
    Jan 26, 2010

    Last edited by AplusWebMaster; 2010-01-26 at 19:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pushdo DDoS'ing or Blending In?

    FYI...

    Pushdo DDoS'ing or Blending In?
    - http://www.shadowserver.org/wiki/pmw...endar/20100129
    29 January 2010 - "Is your site on the list we have posted here* or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses... it seems the Pushdo** botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites..."

    * http://www.shadowserver.org/wiki/upl...shdo_sites.txt

    ** http://www.secureworks.com/research/threats/pushdo/

    >>> (More detail at the Shadowserver URL above.)

    (Hundreds) under bizarre SSL assault
    - http://www.theregister.co.uk/2010/01...sl_web_attack/
    29 January 2010 20:55 GMT

    - http://isc.sans.org/diary.html?storyid=8125
    Last Updated: 2010-01-30 11:09:16 UTC

    - http://www.m86security.com/labs/i/Ma...race.1230~.asp
    January 26, 2010

    - http://www.darkreading.com/shared/pr...leID=222600679
    Feb. 1, 2010

    - http://isc.sans.org/diary.html?storyid=8131
    Last Updated: 2010-02-02 15:57:18 UTC

    Last edited by AplusWebMaster; 2010-02-03 at 00:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Russian botnet tries to kill rival

    FYI...

    Russian botnet tries to kill rival
    - http://www.computerworld.com/s/artic...to_kill_rival?
    February 9, 2010 - "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses. Trojans such as Zeus and Spy Eye steal online banking credentials..."

    - http://www.theregister.co.uk/2010/02..._bots_vs_zeus/
    9 February 2010

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down E-mail malware prolific

    FYI...

    E-mail malware prolific
    - http://www.theregister.co.uk/2010/02...botnet_trends/
    17 February 2010 - "... the Lethic botnet*** has returned from the grave since it was decapitated by the combined efforts of security firms and ISPs in early January... Symantec warned** on Wednesday about a new targeted email attack designed to seed agents of the Cutwail botnet on corporate systems. Botnet clients offer a handy tool for information stealing and launching denial of service attacks, as well as distributing spam. A recent study by net security firm Damballa ranks the ten worst botnets by number of infections within enterprise networks. This survey* rates the infamous ZeuS spyware agent as the greatest menace to corporate security, with the Koobface worm, which spreads via messages on social networks, a close second."
    * http://blog.damballa.com/?p=569
    February 16, 2010

    ** http://www.symantec.com/connect/blog...edolab-malware
    February 17, 2010

    *** http://www.m86security.com/labs/i/Le...race.1241~.asp
    February 16, 2010

    - http://urgentcomm.com/networks_and_s...hreats-201002/
    Feb 1, 2010 - "... the black market for corporate information is now worth more than the international drug trade, and these thieves' practices have become a sophisticated operation that often involves hiring affiliates willing to install malicious software on thousands of devices for as much as $100 per device..."

    Last edited by AplusWebMaster; 2010-02-18 at 10:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down ZeuS infections rampant...

    FYI...

    ZeuS infects nearly 2,500 companies...
    - http://online.wsj.com/article/SB1000...834150536.html
    FEBRUARY 17, 2010 - "Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach... Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found. In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email. They also broke into computers at 10 U.S. government agencies... The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form... Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught...There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military..."

    - http://www.theregister.co.uk/2010/02...e_hack_attack/
    18th February 2010 - "... The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies... The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs up Waledac decapitated...

    FYI...

    Waledac decapitated...
    - http://www.theregister.co.uk/2010/02...edac_takedown/
    25 February 2010 - "Microsoft has won a court-issued take-down order against scores of domains associated with controlling the spam-spewing Waledac botnet. The software giant's order allows the temporary cut-off of traffic to -277- Internet domains that form command and control nodes for the network of compromised machines. Infected (zombie) machines are programmed to regularly poll these control points for instructions and spam templates. The .com domains, registered in China, will be sin-binned by VeriSign, at least temporarily decapitating the network..."

    Waledac Tracker Summary Data
    - http://www.sudosecure.net/waledac/index.php

    - http://microsoftontheissues.com/cs/b...n-botnets.aspx
    24 February 2010

    - http://www.shadowserver.org/wiki/pmw...endar/20100324
    24 March 2010 - "... while Waledac was not the *worst* or "spammiest" botnet out there, this effort was not in vain. Success is not measured in the percentage of spam reduced over a weeks time. Success in this arena is in the advancement of the 'arsenal' and in breaking new ground in the analysis and disruption of 'notorious' botnets, no matter how they're defined "

    Last edited by AplusWebMaster; 2010-03-25 at 04:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs up Mariposa botnet takedown

    FYI...

    Mariposa botnet takedown
    - http://www.theregister.co.uk/2010/03...bust_analysis/
    3 March 2010 - "... Defence Intelligence teamed up with academics at Georgia Tech Information Security Center and security experts at PandaLabs and law enforcement to form the Mariposa Working Group in order to eradicate the botnet and bring the perpetrators to justice. The Mariposa Working Group infiltrated the command-and-control structure of Mariposa to monitor the communication channels that relayed information from compromised systems back to the hackers who run the botnet. Analysis of the command system laid the groundwork for the December 2009 shutdown of the botnet, as well as shedding light on how the malware operated and provided a snapshot of the current state of the underground economy. Mariposa (Spanish for butterfly) bonnet malware spread via P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, exposed machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of compromised systems. The botmasters made money by selling parts of the botnet to other cybercrooks, installing pay-per-install toolbars, selling stolen credentials for online services and laundering stolen bank login credentials and credit card details via an international network of money mules. Search engine manipulation and serving pop-up ads was also part of the illegal business model behind the bonnet... when the December shutdown operation happened, the gang’s leader, alias Netkairo, panicked in his efforts to regain control of the botnet. Netkairo made the fatal error of connecting directly from his home computer instead of using the VPN, leaving a trail of digital fingerprints that led to a series of arrests two months later. A blog post by Panda Software* explains what happened next..."
    * http://pandalabs.pandasecurity.com/mariposa-botnet/
    03/3/10 - "In May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record... Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions. Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history. On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010. Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries..."

    - http://blogs.technet.com/mmpc/archiv...sa-botnet.aspx
    March 04, 2010

    - http://blog.trendmicro.com/mariposa-...tors-captured/
    March 04, 2010

    Mariposa stats
    - http://pandalabs.pandasecurity.com/mariposa-stats/
    03/10/10

    Last edited by AplusWebMaster; 2010-03-16 at 19:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Wiseguys botnet...

    FYI...

    Wiseguys botnet...
    - http://www.avertlabs.com/research/bl...sports-tickets
    March 5, 2010 - "... This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices. According to the indictment*, the distributed software was developed by some programmer accomplices in Bulgaria... Unlike botnets we frequently encounter, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million. The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet:
    • Monitored the online ticket vendors’ websites for the exact moment that tickets to popular events went on sale
    • Opened thousands of connections at the instant that tickets went on sale
    • Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), thus speeding ahead of legitimate buyers
    • Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets almost instantly
    • Filled in all the fields necessary to complete the purchases, including customer credit card information and false e-mail addresses..."
    * http://media.nj.com/ledgerupdates_im...0-%20Filed.pdf

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy Zeus botnet C&C - partial takedown

    FYI...

    Zeus botnet C&C - partial takedown
    - http://www.theregister.co.uk/2010/03...zeus_takedown/
    10 March 2010 - "At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations. The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known as Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus. Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses. The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP's customers, law-abiding or otherwise, were immediately unable to connect to the outside world..."

    - http://www.krebsonsecurity.com/2010/...ocked-offline/
    March 10, 2010 - "... Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet..."

    - http://www.abuse.ch/?p=2417
    March 11, 2010 - "... now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia..."
    *** UPDATE 2010-03-11 21:30 (UTC) - "Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increased from 149 -up- to 191..."
    *** UPDATE 2010-03-12 11:10 (UTC) ***
    Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline)...
    - http://www.google.com/safebrowsing/d...?site=AS:25189

    AS:25189
    - http://stopbadware.org/reports/asn/25189
    AS:8342
    - http://stopbadware.org/reports/asn/8342

    - http://www.google.com/safebrowsing/d...c?site=AS:8342
    "... 1229 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2010-03-12... 52 site(s) on this network... appeared to function as intermediaries for the infection of 199 other site(s)... 78 site(s)... that infected 1594 other site(s)..."

    - http://www.cio.com/article/572813/Af...yak_Resurfaces

    Last edited by AplusWebMaster; 2010-03-12 at 15:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pushdo cracks captchas at MS Hotmail/Live.com/MSN webmail

    FYI...

    Pushdo cracks captchas at MS Hotmail/Live.com/MSN webmail
    - http://blog.webroot.com/2010/03/22/p...udio-captchas/
    March 22, 2010 - "A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft’s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages. The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It’s spamming through the Hotmail/Live.com Web mail interface... during the course of the spam sessions, the spy apparently pulls down “audio captchas” and successfully sends back the correct response, which permits it to continue spamming... The spam emails themselves are short, written by someone who doesn’t have a strong grasp of English grammar..."

    (Screenshots available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •