Pandemic of the botnets 2010

[AplusWebMaster]

FYI...

Botnet superhighway...
- http://blogs.technet.com/b/mmpc/arch...erhighway.aspx
21 Oct 2010 - "... By Q2 of this year, one out of every three infected machines were part of a botnet. So, if you've been hit by any malware recently, there's a 33% chance that it was by a bot, or that a bot was installed on your machine in addition to that malware... Most bot families, including Win32/Alureon, Win32/Hamweq, and Win32/IRCbot, are capable of downloading and executing arbitrary files, which may be configured to be malware. Because the downloaded threat is distinct from the bot itself, removing the threat installed by the bot doesn't stop the damage, because the bot can simply install something new after the other threat was removed... In addition to installing other threats, botnets are known to spread malicious messages via, for example, email and Instant Messaging (IM), including spam and phishing. These messages may also contain a link to a website that hosts malware or that performs a drive-by download... because of their networked and often organized structure, they allow malicious and illegal activities to be performed at a scale that has not been seen before..."
* http://www.microsoft.com/security/si...aspx#section_1

[AplusWebMaster]

FYI...

Bredolab botnet takedown...
- http://www.theregister.co.uk/2010/10...tnet_takedown/
26 October 2010 - "Dutch police and net security organisations have teamed up to dismantle many of the command and control servers associated with the Bredolab botnet. The Bredolab Trojan, which has spyware components that allow criminals to capture bank login details and other sensitive information from compromised machines, has infected an estimated 30 million computers worldwide since its emergence in July 2009. Infected machines remain pox-ridden but the command system associated with the cybercrime network has been decapitated, following an operation led by hi-tech police in The Netherlands. The Dutch Forensic Institute NFI, net security firm GOVCERT.NL and the Dutch computer emergency response team assisted in the operation which involved the takedown of 143 servers associated with the botnet..."

[AplusWebMaster]

FYI...

Bredolab... undead
- http://www.theregister.co.uk/2010/10..._death_throes/
29 October 2010 - "... An operation led by the Dutch police led to the takedown of 143 command and control servers associated with the information-stealing botnet, estimated to have infected 30 million computers worldwide... Despite all this, at least two botnet command nodes remain active. The remaining infected nodes that dial into these nodes in Kazakhstan and Russia will be interacted to download a fake anti-virus package called Antivirusplus and distribute spam, respectively. Both domains remain active at the time of writing, although a third command and control node in Russia, which flickered alive earlier this week, appears to have gone inactive. A detailed blog post by net security firm FireEye* concludes that a portion of the Bredolab botnet remains active. It reckons a second group of bot herders are issuing new instructions through various domains to the remaining population of zombie drones in the Bredolab botnet. These cybercrooks are either using leaked copies of Bredolab code to build and maintain their own botnet or they are continuing to use portions of Bredolab that they had previously rented from the primary hacker..."
* http://blog.fireeye.com/research/201...-not-dead.html

[AplusWebMaster]

FYI...

2Q-2010: Bot infection rates by country/region
- http://www.microsoft.com/security/po...ot-heatmap.png
29 Oct 2010
- http://blogs.technet.com/b/mmpc/arch...ce-report.aspx

Vecebot trojan analysis
- http://www.secureworks.com/research/threats/vecebot/
October 28, 2010 - "... Attack data from one of the victims shows the botnet created by Vecebot to be somewhere between 10,000 and 20,000 infected hosts. The distribution by country shows the significant portion of the botnet is comprised of computers within Vietnam* ... The current list of target URIs in the remote configuration file is:
my.opera.com/Ao-Trang-Oi/blog/
vanganhnews.multiply.com/journal/item/{RND 500 550}
www.x-cafevn.org/verification/index_img.php
vnctcmd.wordpress.com/
www.boxitvn.net/bai/{RND 10000 11000}
These sites are all blogs or forums that contain content critical of the Vietnamese Communist Party or recent developments concerning bauxite mining operations being carried out in the country by China... Whatever the circumstances surrounding the creation of Vecebot, it is clear that the purpose of the botnet is to silence critics of the Vietnamese political establishment where their voices might reach beyond the borders of Vietnam."
* http://www.secureworks.com/research/...t/vecebot1.gif

[AplusWebMaster]

FYI..

Zeus 2.1 defeats MSRT...
- http://news.techworld.com/security/3...security-tool/
5 November 10 - "... According to Trusteer, MSRT detected and removed Zeus version 2.0 about 46 percent of the time in its tests, but failed to spot updated versions which are now circulating... Depending on when the test was conducted, it is not surprising that the MSRT does not detect the latest Zeus variants. The software is updated only once per month, which limits its scope compared to rival tools... Trusteer also markets a rival anti-Zeus approach with its free Rapport plug-in*, which sets out to block it through the browser..."
* http://www.trusteer.com/webform/download-rapport

[AplusWebMaster]

FYI...

Koobface on Facebook - report
- http://krebsonsecurity.com/2010/11/p...and-partnerka/
November 12, 2010 - "... detailed analysis (PDF)* of “Koobface,” a huge network of hacked computers that are compromised mostly by social engineering scams spread among users of Facebook.com (Koobface is an anagram of “Facebook”). As the report describes in great detail, the Koobface infrastructure is a crime machine fed by cyber criminal gangs tied to a variety of moneymaking schemes involving Web browser search hijacking and the installation of rogue anti-virus software. This report traces the trail of Koobface activity back through payments made to top criminal partners — known as Partnerka (PDF)** — a mix of private and semi-public affiliate groups that form to facilitate coordinated malware propagation... The report lists the nicknames of top Koobface affiliates, showing the earnings for each over the past year and the Web addresses of their associated affiliate programs***. This is the kind of intelligence that — if shared broadly — has the potential to massively disrupt large scale criminal operations, because cybercrime researchers can use it to make sense of seemingly disparate pieces of information about criminal actors and groups... efforts to disconnect the physical and network control infrastructure... against Koobface is in the works... Stay tuned."
* http://www.infowar-monitor.net/reports/iwm-koobface.pdf

** http://www.sophos.com/security/techn...2009-paper.pdf

*** http://krebsonsecurity.com/wp-conten...affiliates.jpg

**** http://www.mcafee.com/us/local_conte..._the_enemy.pdf

[AplusWebMaster]

FYI...

Koobface take down...
- http://www.pcworld.com/businesscente...e_servers.html
Nov 13, 2010 - "Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet. Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline... Coreix took down the servers after researchers contacted U.K. law enforcement... The takedown will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers - typically Web servers that have had their FTP credentials compromised - that then -redirect- them to the now-downed command and control servers. Friday's takedown is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they've also tipped off Facebook and Google to hundreds of thousands of Koobface-operated accounts. The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn -redirect- them to Web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface. Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer... The gang's creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims' search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims' PCs. Almost exactly half of Koobface's income - just over $1 million - came from the fake antivirus software. The other half came from online advertising fees... They have identified 20,000 -fake- Facebook accounts; 500,000 -fake- Gmail and Blogspot accounts, and thousands of compromised FTP accounts used by the gang..."

- http://www.theregister.co.uk/2010/11...ace_take_down/
15 November 2010

[AplusWebMaster]

FYI...

SpyEye - more than 270,000 infections
- http://labs.m86security.com/2010/11/...g-battlefield/
November 15, 2010 - "... A few months ago, the M86 Security Lab team discovered another SpyEye C&C server targeting one of the largest American banks. As part of the internal M86 disclosure policy, we contacted the bank to provide the detailed information we had discovered... In this particular case of malicious activity, the SpyEye Trojan’s “install base” included more than 270,000 infections. The bank eventually confirmed that more than 200 bank accounts had been compromised... Based on several recent cases, I can verify that the banks have begun to take this information much more seriously. First, they’ve educated themselves on banking Trojans - a refreshing change. Second, they are ready to co-operate and convey a willingness to further investigate the information provided. For example, the SpyEye case mentioned above, was a process that took less than a month with the bank. At the conclusion of the case, we received complementary information that was confirmed by the bank. Without the pretense for accurate statistics, the behavioral changes of the banks is significant, and is a result of the losses the banks suffered, and continue to suffer, as result of this new type of Banker Trojans activity. Success of Zeus and SpyEye have caused numerous copycats to appear, such as the new Bugat, Carberp, and latest Feodo Trojans. The war that the banks were engaged in at the birth of Cybercrime has become increasingly sophisticated. Given the new battle landscape, banks have begun to re-group their efforts in fighting back."

- http://www.mcafee.com/us/local_conte..._report_en.pdf
2010-Q3 report pg. 5 - "...we see on average about 6,000,000 new botnet infections per month..."

[AplusWebMaster]

FYI...

Kroxxu botnet infects 100K domains...
- http://www.avast.com/pr-avast-kroxxu...-a-money-trail
November 18, 2010 - "... During the last twelve months, avast! Virus Lab researchers have covered the steady growth and structure of the Kroxxu bot network, an innovative self-generating network of password-stealing malware. This extensive botnet has around 100 thousand infected domains and has likely infected more than 1 million users around the world... Kroxxu is focused exclusively on stealing FTP passwords. Unlike its predessor Gumblar and the traditional botnet, Kroxxu’s expansion is completely based on infected websites – not individual PCs. Stolen passwords enable Kroxxu’s owners add a simple script tag to the original website content, making it possible to upload and modify files on infected servers and spread the net to other servers around the globe. If stacked up in a layered pyramid structure, avast! Virus Lab estimates that the Kroxxu zombie network includes over 10,000 redirectors, 2,500 PHP redirectors, and an additional 700 plus malware distribution sites located worldwide, randomly connected and controlled from places hidden behind collectors. Redirection is central to Kroxxu’s ability to hide itself. The longest active connection found so far used 15 redirectors, passing the unsuspecting visitor through seven countries in three continents to the infectious exploits... 985 PHP redirectors and 336 malware distributors placed in the infected sites had survived more than three months without any attention from the side of the site owners or administrators. It seems that most administrators are ignoring or – more likely – absolutely unaware of the infection. Only the administrator or the owner of the hacked website is able to legally get rid of the infection..."
(More detail at the URL above.)

[AplusWebMaster]

FYI...

'Darkness' DDoS Bot
- http://www.shadowserver.org/wiki/pmw...endar/20101205
December 05, 2010 - "... new DDoS bot that has been quite active over the past few weeks targeting a fairly large variety of websites... this is not the usual prolific BlackEnergy botnet, but a botnet called “Destination Darkness Outlaw System”(D.D.O.S), aka “Darkness”. As with BlackEnergy, “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does. This particular version of “Darkness” is using the domains greatfull-toolss .ru and greatfull .ru for its command and control (C&C)... a third domain, hellcomeback .ru, was also utilized but is no longer available now. Since November 12 of this year, we have seen over 100 different hosts targeted by 'greatfull .ru'. Initially, the botnet's attacks seem localized and against various MU Online gaming sites, but eventually, it was seen targeting more high profile sites in the financial, insurance, cosmetics, clothing, accessories, and gifts industries.
The C&C - greatfull .ru and greatfull-toolss .ru are currently being hosted on 91.212.124.35 which is: AS49089 - UA-DC / Nikultsev Aleksandr Nikolaevich. AS49089 is a small provider that only seems to be announcing the /24 netblock 91.212.124.0/24 ... It has a single upstream which is AS49211 - SAASUA-AS SAAS Technologies Ltd. The current AS path is seen as: AS4777 > AS2516* > AS174 > AS42590 > AS49211 > AS49089 ...
Additional Observations - The hellcomeback .ru domain was registered on 10/10/2010. The greatfull .ru and greatfull-toolss .ru domains were registered on 11/3/2010. Having a three-headed C&C domain structure for this DDoS bot enables it to remain functional despite a takedown of any single domain or provider. It also allows for some additional correlation of the botnet operator to forum posts, ads, registrations, etc... Shadowserver continues to track 'greatfull .ru' and other 'Darkness' DdoS bots. We are also notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."
(More detail and graphics available at the Shadowserver URL above.)

* http://www.google.com/safebrowsing/d...c?site=AS:2516

- http://www.google.com/safebrowsing/d...ic?site=AS:174

- http://www.google.com/safebrowsing/d...?site=AS:49089

- http://www.theregister.co.uk/2010/12...rkness_botnet/
7 December 2010