Page 1 of 4 1234 LastLast
Results 1 to 10 of 31

Thread: Pandemic of the botnets 2011

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Pandemic of the botnets 2011

    FYI...

    Waledac wakes up...
    - http://community.websense.com/blogs/...-of-sleep.aspx
    13 Jan 2011 - "... On Tuesday morning a new variant* of Waledac was distributed to members of the botnet. Yesterday it started spamming again, but now it's back to sending pharmaceutical spam promoting "the magic blue pill" which we have seen previous versions of Waledac do in the past. As in previous spam campaigns, the spammers are using redirections via compromised legitimate sites... The new spam campaign doesn't redirect to malicious content, just to spam content but that could change at any point if the people behind Waledac decides to grow the botnet. We have seen hundreds of different subjects being used in this campaign, here are some examples:
    Wonderful revealing effect on your libido.
    I dream u to be vigorous, dive into u dream this too
    The most excellent way to satisfy her
    Your gf wants your organ to be the finest worker of the year!
    Want to act like a xxxstar? Bang a blu-colored pill!
    FDA-approved blue-blu-colored med to heal ED!
    She needs YOU to grow your PENI!
    Wish to surprise and gratify your lady tonight?
    ..."
    * http://www.virustotal.com/file-scan/...45e-1294875643
    File name: erobyxwugwaugj.exe
    Submission date: 2011-01-12 23:40:43 (UTC)
    Result: 13/42 (31.0%)
    There is a more up-to-date report (21/42) for this file.
    - http://www.virustotal.com/file-scan/...45e-1295079348
    File name: 0aae4f7c578bf77f36d12bd353dd3e71
    Submission date: 2011-01-15 08:15:48 (UTC)
    Result: 21/42 (50.0%)

    - http://www.symantec.com/connect/blog...tnet-back-rise
    12 Jan 2011

    Distribution of the malware
    > http://www.symantec.com/connect/site...mages/fig3.JPG
    ___

    Waledac... [has stolen] almost 500,000 email passwords ...
    - http://forums.spybot.info/showpost.p...0&postcount=82
    2 February 2011

    Last edited by AplusWebMaster; 2011-02-03 at 00:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down DDoS botnet update - greenter.ru & globdomain.ru

    FYI...

    DDoS botnet update - greenter.ru & globdomain.ru
    - http://www.shadowserver.org/wiki/pmw...endar/20110116
    16 January 2011 - "On September 13, 2010, I posted a blog about a very active BlackEnergy DDoS botnet that was attacking a wide variety of victims.
    http://www.shadowserver.org/wiki/pmw...endar/20100913
    Since that post, the Command and Control servers on the greenter.ru and globdomain.ru domains have directed DDoS attacks against approximately 170 different victims. Again, these attacks are across many different industries and target some rather high profile sites. As of 9/13/10, I've seen these controllers use the following hosting providers. The list indicates the date first seen on the provider, the IP address used, the AS number of the provider, and the country of the provider:
    greenter.ru hosts
    * 08/07/10 - 194.28.112.135 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
    * 11/18/10 - 188.95.159.114 - AS51306 - Tavria Host Network - Ukraine
    * 11/30/10 - 193.186.9.60 - AS44209 - FINACTIVE - Ukraine
    * 1/7/10 - 46.252.129.155 - AS52055 - ReliktBVK - Latvia
    globdomain.ru hosts
    * 08/07/10 - 194.28.112.134 - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
    * 11/23/10 - 188.95.159.115 - AS51306 - Tavria Host Network - UA
    * 11/30/10 - 193.186.9.61 - AS44209 - FINACTIVE - UA
    * 1/7/10 - 46.252.129.156 - AS52055 - ReliktBVK - LV
    As of this post, globdomain.ru is on 46.252.129.156 and greenter.ru is on 46.252.129.155. Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."

    Darkness DDoS bot version identification guide
    - http://www.shadowserver.org/wiki/pmw...endar/20110127
    27 January 2011

    Last edited by AplusWebMaster; 2011-01-29 at 04:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb Conficker Group... roadmap for stopping worm

    FYI...

    Conficker Group... roadmap for stopping worm
    - http://www.informationweek.com/share...leID=229100192
    Jan. 25, 2011 - "... On Monday, the Rendon Group released a report*, funded by the Department of Homeland Security, rounding up the 15-person-strong working group's "lessons learned." The report highlighted the group's biggest achievement: "preventing the author of Conficker from gaining control of the botnet." Doing so, however, required coordinating with organizations in more than 100 countries to block the more than 50,000 domains per day generated by the Conficker C worm..."
    * http://www.confickerworkinggroup.org...endar/20110124
    Lessons Learned ...

    THANK YOU ...Conficker Group
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SpyEye/ZeuS merger - revisited ...

    FYI...

    SpyEye/ZeuS merger - revisited...
    - http://krebsonsecurity.com/2011/02/r...yezeus-merger/
    February 3, 2011 - "... Seculert*, a new threat alert service... includes some screen shots of the administrative panel of SpyZeuS that show the author trying to appeal to 'users' of both Trojans, by allowing 'customers' to control and update their botnets using either the traditional ZeuS or SpyEye Web interface... the author(s) has been adding new features to both the bot and the control panels nearly every day..."
    * http://blog.seculert.com/2011/01/fre...ydra-head.html

    - http://www.pcworld.com/article/21858...fter_zeus.html
    Feb 3, 2011
    ___

    - http://www.informationweek.com/share...leID=229201215
    Feb. 4, 2011
    - http://www.trusteer.com/blog/zeus-co...g-its-progress
    Feb. 3, 2011

    Last edited by AplusWebMaster; 2011-02-08 at 00:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Zbot detections - MSRT

    FYI...

    Zbot detections - MSRT
    - http://blogs.technet.com/b/mmpc/arch...with-msrt.aspx
    10 Feb 2011 - "... Zbot itself is continually evolving, having undergone many changes in the last year or so, ‘updates’ to the file-based obfuscation, anti-AV defensive techniques, information stealing capabilities, configuration file protection, API hooking, pseudo-random domain generation, process injection and file infection... we can show the telemetry we’ve gathered from the MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features... Of all the changes that Zbot has undergone however, the most significant from an MSRT perspective is the move towards file infection. Since its inception, Zbot has employed process injection targeting multiple processes on the system, the extent of which is governed by the privilege level of the user who unwittingly triggers the infection. (TIP: If you’re going to run an attachment you got from an email or a link, or via Facebook, don’t elevate it to admin via UAC.) In some newer variants of Zbot in the wild, for each infected process it will hook several Windows APIs, modify and infect binary files, and infect files shared in the network. One interesting behavior to note is that the infected process thread will continually monitor and infect other processes... In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs. The API that we are most interested in however is NtCreateFile(), which is invoked upon opening files... Zbot can infect both directly and upon opening files..."

    Zbot detections - charted
    - http://www.microsoft.com/security/po...zbotmsrt-1.png
    Zbot code injection and hooking process
    - http://www.microsoft.com/security/po...zbotmsrt-2.png

    - http://www.darkreading.com/taxonomy/...e/id/229216691
    Feb 10, 2011

    - http://www.microsoft.com/security/si...#section_4_5_1

    Last edited by AplusWebMaster; 2011-02-12 at 01:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Top 10 botnets - 2010 ...

    FYI...

    Top 10 botnets - 2010 ...
    - http://www.securityweek.com/top-10-b...eased-damballa
    Feb 15, 2011 - "Damballa... today released its “Top 10 Botnet Threat Report - 2010”... At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of eight percent per week... Some highlights include:
    • Of the Top 10 largest botnets in 2010, six of these botnets did not exist in 2009, and only one (Monkif) was present in the 2009 Top 10 largest botnets.
    • The biggest botnet of 2010 (a botnet associated with the TDL Gang)... claiming nearly 15 percent of all unique infected victims in 2010.
    • The Top 10 largest botnets in 2010 accounted for approximately 47 percent of all botnet compromised victims...
    • ... more than 35 percent of unique IP addresses infected were simultaneously victims of two or more different botnet campaigns...
    • ... rapid evolution of many popular botnet do-it-yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs.
    • ... malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators).
    • The last quarter of 2010 was heavily influenced by the rapid growth of botnets utilizing the TDL master-boot-record (MBR) rootkit technology...
    The full report is available here* (Direct PDF Download)"
    * http://www.damballa.com/downloads/r_...ets_Report.pdf
    ___

    - http://www.secureworks.com/research/...bot-evolution/
    15 February 2011

    Last edited by AplusWebMaster; 2011-02-17 at 22:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Cybercrime costs UK $43B a year

    FYI...

    Cybercrime costs UK $43B a year
    - http://www.reuters.com/article/2011/...71G35320110217
    Feb 17, 2011 - "Cyber crime costs the British economy some 27 billion pounds ($43.5 billion) a year and appears to be "endemic," according to the first official government estimate of the issue published on Thursday. The study by Britain's Office of Cyber Security and Information Assurance concluded digital crime is a growing, widespread problem, and attempts to address it have been hampered by a real lack of understanding and insight. Business is bearing the brunt of the costs at an estimated 21 billion pounds, with the pharmaceutical, biotech, IT, and chemical sectors the worst hit. However, government lost some 2.2 billion pounds and the cost to individual Britons amounted to 3.1 billion pounds, "The Cost of Cyber Crime" report* said. Last year, Britain's National Security Strategy placed cyber attacks as one of the top threats the country faces, along with terrorism, war and natural disasters... The report said 9.2 billion pounds was lost from intellectual property (IP) theft, 7.6 billion from industrial espionage and 2.2 billion from extortion, with large companies being targeted..."
    * http://www.cabinetoffice.gov.uk/reso...of-cyber-crime

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down ZeuS attacks 2-factor ...

    FYI...

    ZeuS attacks 2-factor...
    - http://www.theregister.co.uk/2011/02...cation_attack/
    22 February 2011 - "A variant of the ZeuS banking trojan is targeting mobile phone users who rely on their handsets to get enhanced, two-factor authentication from ING Bank Slaski in Poland... The ZeuS man-in-the-mobile attacks appear to similar to those that hit Spain in September, researchers from antivirus provider F-Secure said*. Both attacks attempt to steal so-called mTANs, short for mobile transaction authentication numbers, which an increasing number of European banks are using to provide enhanced authentication to online customers. Financial institutions send the one-time passwords in text messages. The secondary passcodes are needed to login to online accounts. The ZeuS Mitmo injects a fraudulent field into webpages that prompts users for their cellphone number and the type of handset they use. The criminals behind the operation then send the user an SMS message containing a link to malware that's customized to their Symbian or Blackberry phone. The malware automatically sends all mTANs sent to the handset to the ZeuS operators..."
    * http://www.f-secure.com/weblog/archives/00002104.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnets spew many trojans in February

    FYI...

    Botnets spew many trojans in February
    - http://www.eweek.com/c/a/Security/Bo...bruary-553094/
    2011-03-04 - "Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren’t far behind, according to several security reports. About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec’s February 2011 MessageLabs Intelligence Report*. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report. There was a lot of botnet activity in February, and the perpetrators appeared to be working together to some extent to distribute Trojans, according to Symantec. There were signs of integration across Zeus, Bredolab and SpyEye, as techniques associated with one malware family were being used by others, Symantec said in the report. The attacks were well-timed and used carefully targeted techniques, suggesting a “common origin” for these infected messages. One day, the messages would be propagating mainly Zeus variants, followed by a day dedicated to distributing SpyEye variants and later with Bredolab, in an alternating pattern, according to Paul Wood, MessageLabs Intelligence senior analyst. By the middle of the month, the variants propagated simultaneously with an advanced package that evaded traditional antivirus detection, he said. All the attacks used a .ZIP archive attachment containing malicious code. About 1.5 percent of blocked malware had malicious .ZIP attachments, and 79.2 percent of those files were connected to the Bredolab, Zeus and SpyEye attacks..."
    * http://www.messagelabs.com/globalthreats

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down SpyEye/ZeuS target tracker sites ...

    FYI...

    SpyEye/ZeuS target tracker sites...
    - http://krebsonsecurity.com/2011/03/s...tracker-sites/
    March 9, 2011 - "Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result... A series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution... Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers... it is clear from these and other threads on this forum that the botmasters will continue devising new methods of disabling the trackers..."
    (More detail and screenshots available at URL above.)

    Data showing recent traffic spikes from DDoS attacks
    - http://krebsonsecurity.com/wp-conten...pyzeusdns1.jpg

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •