Page 3 of 6 FirstFirst 123456 LastLast
Results 21 to 30 of 52

Thread: Pandemic of the botnets 2010

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Asprox Spambot resurrects

    FYI...

    Asprox Spambot resurrects
    - http://www.m86security.com/labs/i/Th...race.1345~.asp
    June 5, 2010 - "... on the first day of June, the spamming resumed - this time focused on pharmaceutical campaigns. With the help of Pushdo and Bredolab downloader, it seems Asprox has risen from the dead to build another spamming bot network... analysis also highlights the intricate relationships between individual malware components, and hint at a common gang behind it all."

    (Screenshots and more detail available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SSH brute force attempts on the rise again

    FYI...

    SSH brute force attempts on the rise again...
    - http://isc.sans.edu/diary.html?storyid=9031
    Last Updated: 2010-06-18 12:32:51 UTC - "SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next...
    Reader xemaps wrote in with this log snippet:
    "Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user."
    Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x
    Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x
    Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x
    Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x
    Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x
    Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x
    Reader Ingvar wrote in with a similar pattern:
    "On my home system I have seen these login attempts that start with user "aaa" and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day."
    Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x
    Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x
    Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x
    Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x
    Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x
    Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x

    Last year ISC Handler Rick wrote up a diary* for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:
    • Deploy the SSH server on a port other than 22/TCP
    • Deploy one of the SSH brute force prevention tools
    • Disallow remote root logins
    • Set PasswordAuthentication to "no" and use keys
    • If you must use passwords, ensure that they are all complex
    • Use AllowGroups to limit access to a specific group of users
    • Use as a chroot jail for SSH if possible
    • Limit the IP ranges that can connect to SSH ..."

    * http://isc.sans.edu/diary.html?storyid=7369

    - http://isc.sans.edu/port.html?port=22

    MORE INFO...
    - http://isc.sans.edu/diary.html?storyid=9034
    Last Updated: 2010-06-18 17:05:49 UTC

    Last edited by AplusWebMaster; 2010-06-18 at 21:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down (More) Asprox SQL injection attacks

    FYI...

    (More) Asprox SQL injection attacks
    - http://www.m86security.com/labs/i/An...race.1366~.asp
    June 23, 2010 - "... we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks. As of this writing, there are three fast-flux domains that the bot attempts to contact.
    CL63AMGSTART .RU
    HYPERVMSYS .RU
    ML63AMGSTART .RU

    These domains resolve to Asprox's control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites. When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks... The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search more potential targets... So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnet has offspring...

    FYI...

    Botnet has offspring...
    - http://www.theregister.co.uk/2010/06...et_resurgence/
    29 June 2010 - "The Kraken botnet, believed by many to be the single biggest zombie network until it was dismantled last year, is staging a comeback that has claimed almost 320,000 PCs, a security researcher said. Since April, this son-of-Kraken botnet has infected an estimated 318,058 machines - about half as big as the original Kraken was at its height in the middle of 2008, according to Paul Royal, a research scientist at the Georgia Tech Information Security Center. Like its predecessor, the new botnet is a prodigious generator of spam, with a single machine with average bandwidth able to send more than 600,000 junk mails per hour... To evade detection, they use as many as 1,200 unique malware variants. One widely used strain was flagged by just 50 per cent of AV last week, according to this VirusTotal analysis*... The latest Kraken uses domain names offered by dynamic DNS services to corral its bots into command and control channels. Because the addresses are extensions of legitimate domain names, it prevents them from being shut down by registrars..."
    * http://www.virustotal.com/analisis/0...37c-1277172595
    File 07d2421a836b3e943d75917a69bd98ae received on 2010.06.22 02:09:55 (UTC)
    Result: 21/41 (51.22%)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Zeus botnets in UK...

    FYI...

    Zeus trojan regionally-targeted...
    - http://www.theregister.co.uk/2010/07...trojan_threat/
    1 July 2010 - "Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences. Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud. Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US. The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems..."

    More Zeus...
    - http://blog.trendmicro.com/zeuszbot-...russian-banks/
    July 5, 2010 - "... this specific sample targeted several banks around the globe, including Russian banks... This ZeuS/ZBOT sample also targeted banks found in Germany, the United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia, Ireland, the United Arab Emirates, Turkey, and New Zealand..."

    Last edited by AplusWebMaster; 2010-07-07 at 14:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default

    FYI...

    Botnet size and Lies, Damn Lies...
    - http://www.shadowserver.org/wiki/pmw...endar/20100705
    July 05, 2010 - "... If one looks at the targets of online crime, it's hard to draw trends but we can make a few educated guesses. In general, they're targets of opportunity. These days, large companies and financial institutions are actually a reasonably high bar for your average online criminal. Reading reports by Brian Krebs*, the majority of known and reported business victims of online theft are on the smaller side. There's two reasons for this:
    1) they tend not to view information security as a high priority, thus making them easier targets and
    2) there's more of them and they simply get caught up in widespread mass campaigns.
    Don't get caught up in "which is the biggest botnet". Worry about how the botnet is being used. Worry that it's being used to steal money from mom and pop companies who don't stand a chance."

    (Charts and more detail available at the Shadowserver URL above.)

    * http://krebsonsecurity.com/category/smallbizvictims/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down GootKit - site infections

    FYI...

    GootKit - site infections
    - http://www.m86security.com/labs/i/Go...race.1368~.asp
    June 30, 2010 - "... attackers do not infect hundreds of web pages by hand, they use a script or a botnet to do the work for them. Some examples of this are Asprox and Gumblar, which are known for doing mass web site infections, Asprox via SQL injection and Gumblar by using stolen FTP credentials. One other such bot is known as GootKit. We came across this bot when in was installed on one of our test machines by a malicious downloader, along with a host of other malware. Most of Gootkit’s functions are implemented in scripts that are downloaded as tasks from a control server... We are unsure exactly how the control server obtained all of the FTP credentials, but most often these are stolen via keyloggers and information stealing malware installed on a website administrators PC. Gootkit is another example that highlights the highly automated systems that attackers are using to infect web pages en masse. These systems are underpinned and driven by botnets, which give the scalability and anonymity that the cybercriminals desire."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Zeus v3 in the wild...

    FYI...

    Zeus v3 in the wild...
    - http://www.theregister.co.uk/2010/07...us_goes_local/
    13 July 2010 - "Hackers have created a new version of the Zeus crimeware toolkit that's designed to swipe bank login details of Spanish, German, UK and US banks. The malware payload, described by CA as Zeus version 3, is far more selective in the banks it targets. Previous versions targeted financial institutions around the world while the latest variant comes in two flavours: one that only target banks in Spain and Germany, and a second that only targets financial institutions in the UK and US. In addition the latest version of Zeus contains features that makes it far harder for security researchers to figure out what the malware is doing. Zombie drones on the Zeus botnet operate on a need to know basis, CA explains*... Command and control systems associated with the bot are "mostly hosted in Russia", according to CA..."
    * http://community.ca.com/blogs/securi...usa-banks.aspx

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mumba botnet campaign

    FYI...

    Mumba botnet campaign
    - http://www.theinquirer.net/inquirer/...s-mumba-botnet
    Aug 02 2010 - "... the Mumba botnet malware has infected 55,000 PCs around the world. Apparently the botnet has been responsible for stealing up to 60GB of personal data. The compromised data includes bank account details and credit card numbers. The US has suffered the lion's share of the hack with 33 per cent of infected systems, Germany comes in second with 17 per cent, Spain has 7 per cent and the UK 6 per cent while Mexico and Canada each have 5 per cent... the hackers specifically targeted the US in the malware attacks, possibly because it's a bigger target. The Mumba botnet was developed by the Avalanche Group to maximise the number of malware attacks and it uses the latest version of Zeus...."

    - http://www.theregister.co.uk/2010/08...t_infiltrated/
    2 August 2010

    Last edited by AplusWebMaster; 2010-08-03 at 12:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb Zeus2 botnet takedown in UK...

    FYI...

    Zeus2 botnet takedown in UK...
    - http://www.theregister.co.uk/2010/08...pwns_brit_pcs/
    4 August 2010 - "Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers. Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data - including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks - from compromised Windows systems. Trusteer researchers identified the botnet's drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police... The original attack was probably seeded by a combination of infected email attachments and drive-by downloads, according to Amit Klein, Trusteer's chief technology officer. The Windows-based malware used to control zombie clients was a variant of the infamous Zeus cybercrime toolkit, a customisable Trojan keylogger and botnet-control client sold through underground forums that's become the sawn-off shotgun of the cybercrime economy over recent years..."
    - http://www.trusteer.com/company/trus...-the-news/2010

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •