Page 6 of 6 FirstFirst ... 23456
Results 51 to 52 of 52

Thread: Pandemic of the botnets 2010

  1. #51
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bredolab botnet/trojan ...review

    FYI...

    Bredolab botnet/trojan ...review
    - http://labs.m86security.com/2010/12/...alware-review/
    December 23, 2010 - "Two months ago the Authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan*. However, Bredolab Trojan is still spreading malware on user’s machines... Once the malware is executed, it copies itself to a temp folder and injects code into “svchost.exe” process. It then generates a key and sends basic information... The bot wraps up the data and sends it to the command and control server... Bredolab (unlike the Zeus Trojan) doesn’t have local configuration files pre-generated by the malware operator. The Trojan operates like a Trojan Dropper; it receives the malware, saves it on the hard disk or in the memory according to the Trojan operator, and then loads it... Once the malware is successfully installed on the victims’ machine, it becomes much more complicated for AV companies to detect any activity committed by Bredolab Trojan. Looking closely at the traffic sent from the server to the victim shows how the downloaded executable is encrypted in a unique way for -each- machine, rendering AV pattern detection useless... even though instances of Bredolab Trojan still can be found in the wild and used by cybercriminals, it is expected that it will gradually decrease over time*."
    * http://www.securelist.com/en/analysi...redolab_Botnet

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #52
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnet for the Holidays... Storm 3.0?

    FYI...

    Botnet for the Holidays... Storm 3.0?
    - http://www.shadowserver.org/wiki/pmw...endar/20101230
    30 December 2010 - "... we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years. However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0. There are no real version numbers of course, but we don't have anything else to call it yet. What's it involve you ask? Well here's the list of what we've seen so far:
    • Large scale Spam campaigns sending out e-mails with links
    • New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
    • Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
    • Links are also directly to new malicious domains
    • Malicious domains hosting links to fake flash player and refreshes to exploit pages
    • Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
    • Malware that's been updated to look a bit more like legitimate than past variants
    • A very buggy network that is not often available (upstream devices not available)
    • Changing/Updated binaries ...

    Below you'll find a list of subjects we've seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.
    Greeting for you!
    Greeting you with heartiest New Year wishes
    Greetings to You
    Happy New Year greetings e-card is waiting for you
    Happy New Year greetings for you
    Happy New Year greetings from your friend
    Have a happy and colorful New Year!
    l want to share Greeting with you (Shadowserver note: the first letter is an L)
    New Year 2011 greetings for you
    You have a greeting card
    You have a New Year Greeting!
    You have received a greetings card
    You've got a Happy New Year Greeting Card!...

    We have not done any analysis to see if there are actually any pieces of the code that were directly taken or updated from the Storm Worm or Waledac code. However, whether or not the code is the same or not, this appears to be the next generation of Storm Worm and Waledac. We are just saying it could be Storm Worm 3.0, at least until someone gives it a better name."

    - http://www.shadowserver.org/wiki/upl...mail-honda.png

    - http://www.shadowserver.org/wiki/upl.../mail-flux.png

    - http://www.shadowserver.org/wiki/upl...ar/website.png
    ___

    > http://atlas.arbor.net/summary/fastflux

    Last edited by AplusWebMaster; 2010-12-31 at 04:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •