Pandemic of the botnets 2010

[AplusWebMaster]

FYI...

Conficker worm - Akamai report
- http://www.computerworld.com/s/artic...y_Akamai_says?
January 15, 2010 - "Variants of the Conficker worm were still active and spreading* during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies... During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer. Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent..."
* http://www.confickerworkinggroup.org...Tracking#toc12

Conficker Working Group
- http://www.confickerworkinggroup.org/wiki/

> http://www.team-cymru.org/Monitoring/Graphs/

- http://blog.trendmicro.com/where-in-...wnadconficker/
Jan 26, 2010

[AplusWebMaster]

FYI...

Pushdo DDoS'ing or Blending In?
- http://www.shadowserver.org/wiki/pmw...endar/20100129
29 January 2010 - "Is your site on the list we have posted here* or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses... it seems the Pushdo** botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites..."

* http://www.shadowserver.org/wiki/upl...shdo_sites.txt

** http://www.secureworks.com/research/threats/pushdo/

>>> (More detail at the Shadowserver URL above.)

(Hundreds) under bizarre SSL assault
- http://www.theregister.co.uk/2010/01...sl_web_attack/
29 January 2010 20:55 GMT

- http://isc.sans.org/diary.html?storyid=8125
Last Updated: 2010-01-30 11:09:16 UTC

- http://www.m86security.com/labs/i/Ma...race.1230~.asp
January 26, 2010

- http://www.darkreading.com/shared/pr...leID=222600679
Feb. 1, 2010

- http://isc.sans.org/diary.html?storyid=8131
Last Updated: 2010-02-02 15:57:18 UTC

[AplusWebMaster]

FYI...

Russian botnet tries to kill rival
- http://www.computerworld.com/s/artic...to_kill_rival?
February 9, 2010 - "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses. Trojans such as Zeus and Spy Eye steal online banking credentials..."

- http://www.theregister.co.uk/2010/02..._bots_vs_zeus/
9 February 2010

[AplusWebMaster]

FYI...

E-mail malware prolific
- http://www.theregister.co.uk/2010/02...botnet_trends/
17 February 2010 - "... the Lethic botnet*** has returned from the grave since it was decapitated by the combined efforts of security firms and ISPs in early January... Symantec warned** on Wednesday about a new targeted email attack designed to seed agents of the Cutwail botnet on corporate systems. Botnet clients offer a handy tool for information stealing and launching denial of service attacks, as well as distributing spam. A recent study by net security firm Damballa ranks the ten worst botnets by number of infections within enterprise networks. This survey* rates the infamous ZeuS spyware agent as the greatest menace to corporate security, with the Koobface worm, which spreads via messages on social networks, a close second."
* http://blog.damballa.com/?p=569
February 16, 2010

** http://www.symantec.com/connect/blog...edolab-malware
February 17, 2010

*** http://www.m86security.com/labs/i/Le...race.1241~.asp
February 16, 2010

- http://urgentcomm.com/networks_and_s...hreats-201002/
Feb 1, 2010 - "... the black market for corporate information is now worth more than the international drug trade, and these thieves' practices have become a sophisticated operation that often involves hiring affiliates willing to install malicious software on thousands of devices for as much as $100 per device..."

[AplusWebMaster]

FYI...

ZeuS infects nearly 2,500 companies...
- http://online.wsj.com/article/SB1000...834150536.html
FEBRUARY 17, 2010 - "Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach... Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found. In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email. They also broke into computers at 10 U.S. government agencies... The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form... Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught...There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military..."

- http://www.theregister.co.uk/2010/02...e_hack_attack/
18th February 2010 - "... The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies... The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac..."

[AplusWebMaster]

FYI...

Waledac decapitated...
- http://www.theregister.co.uk/2010/02...edac_takedown/
25 February 2010 - "Microsoft has won a court-issued take-down order against scores of domains associated with controlling the spam-spewing Waledac botnet. The software giant's order allows the temporary cut-off of traffic to -277- Internet domains that form command and control nodes for the network of compromised machines. Infected (zombie) machines are programmed to regularly poll these control points for instructions and spam templates. The .com domains, registered in China, will be sin-binned by VeriSign, at least temporarily decapitating the network..."

Waledac Tracker Summary Data
- http://www.sudosecure.net/waledac/index.php

- http://microsoftontheissues.com/cs/b...n-botnets.aspx
24 February 2010

- http://www.shadowserver.org/wiki/pmw...endar/20100324
24 March 2010 - "... while Waledac was not the *worst* or "spammiest" botnet out there, this effort was not in vain. Success is not measured in the percentage of spam reduced over a weeks time. Success in this arena is in the advancement of the 'arsenal' and in breaking new ground in the analysis and disruption of 'notorious' botnets, no matter how they're defined "