Page 2 of 6 FirstFirst 123456 LastLast
Results 11 to 20 of 52

Thread: Pandemic of the botnets 2010

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down TT-Bot + ZeuS + BlackEnergy botnets...

    FYI...

    TT-Bot DDoS Bot Analysis
    - http://asert.arbornetworks.com/2010/...-bot-analysis/
    April 1, 2010 - "We recently spotted this family in our malware zoo, another HTTP DDoS bot. This one’s identifying mark is the string “User-Agent: TT-Bot 1.0.0″ in the client requests. We do not know if this is a kit, this one appears to be in limited use. We have not explored the server-side of it... Static analysis suggests that the code is written in MS VB 6... At this time this botnet is still live and issuing commands. We do not know how big this botnet is."

    ZeuS banking trojan botnet
    - http://www.secureworks.com/research/threats/zeus/
    March 11, 2010 - "... ZeuS is a well-known banking Trojan horse program, also known as crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored... ZeuS has evolved over time and includes a full arsenal of information stealing capabilities... observed other ZeuS databases for sale on various underground black markets. Their size is typically over 10GB, which is a botnet of approximately 23,000 infected computers (bots)... "

    BlackEnergy botnet
    - http://www.forbes.com/2010/03/03/cyb...nks_print.html
    03.03.10 - "... Secureworks issued a report describing a new cybercriminal group that aims a one-two punch at banks. First it collects banking customers' passwords using a variation of the so-called BlackEnergy software, which has infected thousands of computers worldwide to create a "botnet" of hijacked machines. The machines use the collected passwords to move funds into the hackers' accounts, and then typically delete files from the user's computer to cover their tracks. But what follows that fraud is an unlikely step: a cyberattack known as a "distributed denial-of-service," using a flood of data requests from the infected computers to take down the company's online banking service. "The same botnet that's being used to steal money from banks is launching these denial-of-service attacks on them," says Secureworks* researcher Joe Stewart..."
    * http://www.secureworks.com/research/.../blackenergy2/
    March 3, 2010 - "BlackEnergy, a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used in the cyber attacks launched against the country of Georgia in the Russia/Georgia conflict. BlackEnergy was authored by a Russian hacker. A comprehensive analysis* of the version of BlackEnergy circulating at the time was done in 2007 by Arbor Networks... There is no distinct antivirus trojan family name that corresponds to the BE2 dropper or rootkit driver. Antivirus engines that detect it either label it with a generic name, or as another trojan - most often it is mis-identified as "Rustock.E", another rootkit trojan from a different malware family. The BlackEnergy rootkit does share some techniques in common with the Rustock rootkit..."
    * http://atlas-public.ec2.arbor.net/do...t+Analysis.pdf
    "... HTTP-based botnet used primarily for DDoS attacks..."

    - http://blogs.forbes.com/firewall/201...t-malware-now/
    March 30, 2010

    Last edited by AplusWebMaster; 2010-04-02 at 04:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Koobface spreads on Facebook and Twitter

    FYI...

    Koobface spreads on Facebook and Twitter
    - http://www.theregister.co.uk/2010/04...face_takedown/
    23 April 2010 - "Security experts in Hong Kong last week succeeded in taking down a key component of the Koobface botnet, only to witness the system popping up in China. The Koobface FTP grabber component uploaded stolen FTP user names and passwords to the remote server, which was under the control of cybercrooks... In response, the Koobface gang moved their server to a hosting firm in China. Last month the command and control servers associated with Koobface underwent a complete refresh... Koobface spreads via messages on social networking sites like Facebook and Twitter. Cybercrooks behind the sophisticated malware make their money by distributing scareware packages onto compromised machines, and by other cyberscams, including information harvesting. The worm gets less press than the malware associated with the Google China attacks or the high-profile Conficker worm, though experts consider it both more sophisticated and a bigger security threat..."
    * http://blog.trendmicro.com/koobface-...ting-to-china/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New ZeuS variants

    FYI...

    New ZeuS variants
    - http://blog.trendmicro.com/at-a-glan...zeus-variants/
    Apr. 26, 2010 - "... Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses continues to thwart both antivirus and other security solutions as well as the efforts made by the security industry. This time, the malware upholds it notorious reputation with a new version related to previous detections TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ. ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites. They have rapidly become popular tools for cybercriminals to use, thanks to exceptional information-stealing routines and rootkit capabilities, which allows them to stay stealthy and to affect users’ systems without their knowledge. Current ZBOT variants use fixed file names (both for their executable and component files). The file names may vary from one ZBOT version but they are recognized by security analysts. This is not the case for the new ZBOT variants seen above. Instead of using prespecified names, both TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ use random names for the files and directories they create. In addition, ZBOT now injects its code into the Explorer process, something that previous variants did not do. Both of these attempts by cybercriminals to lessen the profile of ZBOT are in response to the malware family’s notoriety, which means that ZBOT malware are now becoming somewhat easier to detect. The under-the-hood changes to the ZBOT variants are, if anything, more significant. These new ZBOT variants inject themselves into the following processes:
    * ctfmon.exe
    * explorer.exe
    * rdpclip.exe
    * taskeng.exe <<
    * taskhost.exe <<
    * wscntfy.exe
    From this list, we can see that the new ZBOT version now “features” support for both Windows Vista and Windows 7. Taskeng.exe and Taskhost.exe are processes both found in Windows Vista and Windows 7 though neither were found in older versions such as Windows XP..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down ZeuS/ZBOT tries out file infection

    FYI...

    ZeuS/ZBOT tries out file infection
    - http://blog.trendmicro.com/zeuszbot-...ile-infection/
    Apr. 27, 2010 - "ZeuS/ZBOT is best known for its information-stealing routines via the use of configuration files downloaded from their home sites... Cybercriminals have thus tried utilizing drive-by downloads, spammed messages, worm propagation, and many more ways. This time, they are trying out file infection. The malware detected by Trend Micro as PE_ZBOT.A injects code into target files and modifies its entry point to redirect to its code. This allows the malware to run its code whenever the infected file is executed. It then attempts to connect to the remote sites from which it downloads and executes malicious files that allow it to steal information from an affected system. The downloaded files are detected as TROJ_KRAP.SMDA and TSPY_ZBOT.SMAP. Once it completes its routine, it returns control of the affected system to its host file. This only shows that cybercriminals are continuously finding new ways to make sure they do not go out of business. The best way to protect one’s system is to be aware of the many techniques cybercriminals use and to keep security solutions and other pertinent applications patched and up-to-date."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Storm botnet 2.0...

    FYI...

    Storm botnet 2.0...
    - http://www.theregister.co.uk/2010/04...otnet_returns/
    27 April 2010 - "After blowing itself out 18 months ago, the notorious Storm botnet is back, researchers from CA said Tuesday. Storm - once responsible for churning out 20 percent of the world's spam - started to peter out in September 2007, when Microsoft targeted it through the Malicious Software Removal Tool. Some 274,372 demonized PCs were exorcised during the first month alone... CA has identified three varients of Storm that at time of writing were detected by 26, 25 and 24 of the top 41 anti-virus products. CA's writeup is here*."
    - http://www.virustotal.com/analisis/9...20a-1272369992
    File asam.exe received on 2010.04.27 12:06:32 (UTC)
    Result: 26/40 (65.00%)
    - http://www.virustotal.com/analisis/9...a44-1271938070
    File asam.exe.000 received on 2010.04.22 12:07:50 (UTC)
    Result: 25/40 (62.50%)
    - http://www.virustotal.com/analisis/0...37d-1272328532
    File asam.exe received on 2010.04.27 00:35:32 (UTC)
    Result: 24/40 (60.00%)

    * http://community.ca.com/blogs/securi...torm-worm.aspx
    April 26 2010 - "... beware of these kind of spam emails... spam-generating campaign distributes the following:
    * Bogus Online Pharmacy Spam Emails
    * Impotency related Spam Emails
    * Adult Dating Spam Emails
    * Celebrity Scandals Spam Emails
    ..."

    - http://krebsonsecurity.com/2010/04/i...es-a-comeback/
    April 28, 2010

    - http://sunbeltblog.blogspot.com/2010...ba-a-a-ck.html
    April 28, 2010 - "... the new botware uses the same configuration file (C:\WINDOWS\herjek.config) as Storm... new version, however uses an HTTP-based command-and-control channel instead of peer-to-peer..."

    Last edited by AplusWebMaster; 2010-04-29 at 02:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnets battle for digital real estate

    FYI...

    Botnets battle for digital real estate
    - http://www.fortinet.com/press_releases/100503.html
    May 3, 2010 - "... April 2010 Threatscape report* showed high activity from multiple botnets, namely Gumblar and Sasfis. While Gumblar remained in the No. 1 position in Fortinet's Top 10 Network Attacks list, the Sasfis botnet ranking was bolstered by two of its executables prevalent in Fortinet's Antivirus Top 10 listing. Like Bredolab, Sasfis is a botnet loader that reports statistics and retrieves/executes files upon check-in. However, Sasfis differs since it is newer and does not employ encryption (all communications are sent through HTTP unencrypted). Nonetheless, Sasfis continues to spread aggressively and typically loads banking trojans among other malicious files... Additional key threat activities for the month of April include:
    • Microsoft vulnerabilities...
    • Adobe Acrobat vulnerabilities...
    • Ransomware and Scareware still top virus detection...
    • Cutwail spambot leveraged for money mule recruitment..."

    * http://www.fortiguard.com/report/rou...pril_2010.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post ISS - aftermath of doc.pdf, statistics, payload, and spam

    FYI...

    ISS - aftermath of doc.pdf, statistics, payload, and spam
    - http://blogs.iss.net/archive/aftermathofdocpdf.html
    May 03, 2010 - "It looks like the onslaught of spam email containing doc.pdf is mostly behind us... At the peak of the attacks, we received 85,000+ alerts in a single day, even if the attacker was successful at a 10% rate of infection that’s easily 8500 infections. This is not even considering the amount of these attacks worldwide which would be assumed in the millions... The SPAM email was sent from various SMTP servers globally, which appears to be originating from a botnet, looking to expand its troops... yet another potentially huge Zeus/Zbot botnet was created or expanded all through spam email. Zeus is a force to be reckoned with its expanding and updated code base into version 2.0. Zeus version 2.0 has new infection measures, new encryption, windows 7 support and a long list of new features. The evolving threat is not going away anytime soon, so we must all remain vigilant in protecting our networks."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SPAM botnet activity - last week

    FYI...

    SPAM botnet activity - last week
    - http://www.m86security.com/labs/i/Ca...race.1316~.asp
    May 5, 2010 - "... Other than Mega-D and Maazben which exclusively spam out links to Canadian Pharmacy and Casino websites respectively, the top spam botnets promote a range of brands. This could either be because the botnet controllers belong to multiple affiliate programs or because they rent out spamming capacity to different people who are affiliates trying to promote their chosen brand... top six affiliate brands, promoted in 90 percent of spam in the last week, was sent by the top spam botnets. Some of the botnets involved in sending this stuff have a huge amount of spamming capacity, like Rustock which is currently sending around 40 percent of the spam we see. As such, botnet operators have the ability to greatly influence the market shares of affiliate programs simply by changing their spam templates..."

    (Charted/available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Zbot/ZeuS - cybercriminals on the offensive

    FYI...

    Zbot/ZeuS - cybercriminals on the offensive
    - http://www.securelist.com/en/analysi...ation_begins#2
    29 Apr 2010 Kaspersky Lab - "... More and more frequently these days, we hear about successful attacks perpetrated by the cybercriminals against the clients of financial organizations... One recent classic example comes from the Zbot-toolkit family, which is also known as ZeuS... widespread geographic diversity ensures the longevity of the botnet. As recent practice has shown, the botnet cannot be destroyed by merely closing down a few of the hosting sites. On 9 March... ZeuS Tracker noticed an abrupt decrease in the number of control centers and saw that it correlated with the disconnection of an Internet Service Provider by the name of Troyak... Troyak found a new teleservices provider and by 13 March the number of control centers had increased to more than 700 again... These botnets act as greenhouses for the propagation of financial malware. It is with this kind of malware that the cybercriminals steal users’ money most readily, and they are constantly finding new victims. The numbers clearly show an increase in the quantity of malicious programs targeting the clients of banks and other financial organizations over the past few years... Without state support very little will ever be accomplished in the fight against cybercrime. The problem will remain unresolved until such times that effective and efficient mechanisms exist for the necessary communication and interaction to take place between the relevant authorities."

    (More detail and graphs available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Avalanche botnet - TROYAK-AS connection

    FYI...

    Avalanche botnet - TROYAK-AS connection...
    - http://ddanchev.blogspot.com/2010/05...troyak-as.html
    May 13, 2010 - "According to the latest APWG Global Phishing Survey*:
    '... by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and "crimeware" - malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts. Avalanche was responsible for two-thirds (66%) of all phishing attacks launched in the second half of 2009...'
    The Avalanche botnet's ecosystem is described by PhishLabs** as:
    'Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams. The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information...'
    One of the most notable facts about the botnet, is their persistent interaction with the TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their ZeuS C&Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on each and every of their phishing pages..."
    * http://www.antiphishing.org/reports/...vey_2H2009.pdf
    ** http://www.phishlabs.com/blog/ - http://www.phishlabs.com/blog/archives/176

    (More detail and info available at the //ddanchev URL above.)

    - http://www.theregister.co.uk/2010/05...shing_attacks/
    13 May 2010

    - http://sunbeltblog.blogspot.com/2010...thirds-of.html
    May 14, 2010

    Last edited by AplusWebMaster; 2010-05-14 at 19:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •