Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: Pandemic of the botnets 2011

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down DDoS bot analysis...

    FYI...

    Skunkx DDoS Bot Analysis
    - http://asert.arbornetworks.com/2011/...-bot-analysis/
    March 14th, 2011 - "... appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time. The bot’s capabilities include:
    * Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
    * Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
    * Spread over USB, MSN, YahooMessenger
    * “Visit” sites, speedtest
    * Download and install, update, and remove arbitrary software
    * Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
    * Spread as a torrent file
    * Steal logins stored in the SQLite DB by Mozilla
    We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems... We have also been sinkholing this botnet. Inspection shows hundreds of bots checking in from around the world, with most in the US..."
    Map showing botted hosts:
    - http://farm6.static.flickr.com/5217/...6c467802_o.png

    JKDDOS: DDoS bot...
    - http://asert.arbornetworks.com/2011/...ning-industry/
    March 8th, 2011 - "... Looking back through our malware zoo, we observed our first JKDDOS sample as early as September 2009. Since then, we have analyzed almost 50 unique JKDDOS samples, the most recent of which we acquired in December 2010. Based on its recent history of attacks, the operators of this family appear to have an axe to grind against several relatively large international holding companies that have connections to the mining industry... The JKDDOS malware is distributed in the form of a relatively small executable that tends to vary widely in size across different samples; we have seen specimens as small as 17,408 bytes and as large as 240,997 bytes. The most common size for a JKDDOS sample is approximately 33.5 KB; recently, the JKDDOS samples we have analyzed have usually been packed whereas earlier samples were not... Once launched, a JKDDOS bot performs a fairly standard installation process. It copies itself into the C:\Windows\System32 directory. In an attempt to be stealthy, it will sometimes name the installed copy of itself so as to appear to be a legitimate system file..."

    (More detail at both URLs above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Rustock botnet takedown...

    FYI...

    Rustock botnet takedown...
    - http://www.theregister.co.uk/2011/03...tnet_takedown/
    17th March 2011 - "Spam volumes shrank on Wednesday after the prolific Rustock botnet fell silent, reportedly as a result of a takedown action*. Rustock, which is made up of a network of compromised (malware-infected) Windows PCs, turns an illicit income for its unknown controllers by being the biggest single source of global spam... SecureWorks... last month... said the author(s) of Rustock have pioneered a variety of techniques to evade detection on infected machines and to stymie security researchers hoping to unlock the secrets of its day-to-day operations... it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains..."
    * http://krebsonsecurity.com/2011/03/r...olumes-plummet
    March 16th, 2011 7:05 pm

    - http://labs.m86security.com/2011/03/rustock-down/
    March 16th, 2011 - "... A brief look at at our spam traps today confirmed that output from Rustock did indeed dry up today. The chart below shows an index of daily spam volume changes from Rustock over the last few weeks:
    - http://labs.m86security.com/wp-conte...ustockSpam.png
    ... lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again..."
    ___

    Operation b107 - Rustock Botnet Takedown
    - http://blogs.technet.com/b/mmpc/arch...-takedown.aspx
    17 Mar 2011 6:47 PM

    - http://online.wsj.com/article/SB1000...861008758.html
    MARCH 18, 2011 - "... U.S. marshals accompanied employees of Microsoft's digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be "command-and-control" machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines world-wide..."

    Last edited by AplusWebMaster; 2011-03-18 at 13:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs up Coreflood botnet takedown ...

    FYI...

    Coreflood botnet takedown ...
    - http://news.yahoo.com/s/afp/20110413...ernetcoreflood
    April 13, 2011 WASHINGTON (AFP) – "The US authorities have disabled a vast network of virus-infected computers used by cyber criminals to steal passwords and financial information, the Justice Department and FBI announced Wednesday. The "Coreflood" botnet is believed to have operated for nearly a decade and to have infected more than two million computers around the world, they said in a joint statement. The Justice Department and FBI said charges of wire fraud, bank fraud and illegal interception of electronic communications had been filed against 13 suspects identified in court papers only as John Doe 1, John Doe 2, etc. Five computer servers and 29 Internet domain names were seized as part of the operation, described as the "most complete and comprehensive enforcement action ever taken by US authorities to disable an international botnet"... Coreflood, which exploited a vulnerability in computers running Microsoft's Windows operating systems, was used to steal usernames, passwords and other private personal and financial information, US officials said..."
    - http://www.justice.gov/opa/pr/2011/A...1-crm-466.html
    April 13, 2011 - More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme...

    - http://krebsonsecurity.com/2011/04/u...eflood-botnet/
    April 14, 2011
    - http://www.fbi.gov/contact-us/field/...n-connecticut/
    April 13, 2011
    ___

    - http://www.secureworks.com/research/threats/coreflood/
    June 2008

    Last edited by AplusWebMaster; 2011-04-24 at 19:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Zeus adds Investment Fraud...

    FYI...

    Zeus adds Investment Fraud...
    - http://www.trusteer.com/print/node/1533
    April 27, 2011 - "We recently discovered and investigated a very interesting new Zeus configuration sample that uses credible looking banner advertisements on major web sites to offer high rate of return investment opportunities. This attack is targeting some of the world’s leading and most trusted websites including: AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN, and many more. Adding investment fraud to its bag of tricks is a new twist for Zeus. These attacks have only one purpose – to lure users into investing their money through a very convincing and professional looking website, https ://ursinvestment .com, which is a fraud. We traced several examples of this configuration file to attacks on leading websites. In one case, the Zeus mechanism embeds banners on the targeted websites which -redirect- to https ://ursinvestment .com. We were surprised to see how well integrated the banner designs were with the attacked websites... The website is hosted on an IP address (178.18.243.227) that originates from Germany. Huan-jun-net, an unknown network, is responsible for hosting the website..."
    (Screenshots and more detail available at the Trusteer URL above.)

    - http://www.fbi.gov/news/testimony/cy...-and-terrorism
    April 12, 2011 - "... The Booming Business of Botnets: ... The botnets run by criminals could be used by cyber terrorists or nation states to steal sensitive data, raise funds, limit attribution of cyber attacks, or disrupt access to critical national infrastructure. Today’s botnets are often modular and can add or change functionality using internal update mechanisms... Some criminals rent or sell their botnets or operate them as a specialized portion of an ad hoc criminal organization. At least one botnet kit author implemented a copy protection scheme, similar to major commercial software releases, which attempts to limit unauthorized use of the botnet kit. Botnets that specialize in data exfiltration are able to capture the contents of encrypted webpages and modify them in real time. When properly configured, criminals can ask additional questions at login or modify the data displayed on the screen to conceal ongoing criminal activity. Criminals purchase the base kits for a few thousand dollars and can pay for additional features to better target specific webservices..."

    Last edited by AplusWebMaster; 2011-07-01 at 20:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down DDoS Bot - "Snap" ...

    FYI...

    DDoS Bot - "Snap"...
    - http://ddanchev.blogspot.com/2011/05...-bot-snap.html
    May 09, 2011 - "... a new DDoS bot on the block - "Snap". This modular bot differentiates itself by offering the ability to choose between different modules to be added to the final package, and by allowing to perform to "proprietary" DDoS functions, namely the TurboSYN, and TrafficDDoS. Next to its core DDoS functionality, the coder of the bot is differentiating by offering Form Grabbing; Reverse Socks; MailSpamming; IM-Spamming and Exploits launching functionality..."
    (More detail at the URL above.)
    ___

    - http://www.darkreading.com/taxonomy/...e/id/229403058
    May 09, 2011

    - https://www.verisign.co.uk/press/page_20100505.html
    May 5, 2010 - "... Best Practices... DDoS Defense..."

    Last edited by AplusWebMaster; 2011-05-10 at 15:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down RBN activity seen - ISC ...

    FYI...

    RBN activity seen - ISC ...
    - http://isc.sans.org/diary.html?storyid=10888
    Last Updated: 2011-05-17 14:05:17 UTC - "... latest log excursion started with two alerts from the ISC poll feature we have on the index page... other odd thing was that these two requests came in very close to each other but look very differently. If you look at the two IP addresses (91.214.45.223 and 212.117.165.179), it turns out that both are part of AS 5577, a network registered in Luxemburg. Further, looking up these addresses in Threatstop's "checkip" feature [1] shows that these are suggested to be part of the Russian Business Network... Got quite a few hits like that from AS 5577 hosts*..."
    (More detail at the ISC URL above.)

    [1] http://threatstop.com/checkip

    * http://www.google.com/safebrowsing/d...c?site=AS:5577

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mariposa botnet is alive ...

    FYI...

    Mariposa botnet is alive...
    - http://blog.trendmicro.com/mariposap...he-rise-again/
    May 25, 2011 - "... despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name — Mariposa. We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same. WORM_PALEVO is a modularized bot mainly used to perform distributed denial-of-service (DDoS) attacks and to download other files. As a commercial bot, its modules can be separately bought should herders want to add features such as propagation, browser monitoring and hijacking, cookie stuffing, and flooding and download routines to their creations. The bots communicate with their C&C server using UDP, which firewall devices do not typically block..."
    > http://blog.trendmicro.com/wp-conten.../05/PALEVO.jpg

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb FBI scrubbed 19,000 PCs snared by Coreflood botnet

    FYI...

    FBI scrubbed 19,000 PCs snared by Coreflood botnet
    - http://krebsonsecurity.com/2011/06/f...eflood-botnet/
    June 21, 2011 - "The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built. In April, the Justice Department and the FBI were granted authority to seize control over Coreflood, a criminal botnet that enslaved millions of computers. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running..."
    > http://krebsonsecurity.com/wp-conten...odjune2011.jpg

    - http://www.secureworks.com/research/...reflood-report
    August 6, 2008

    Last edited by AplusWebMaster; 2011-06-22 at 06:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Butterfly botnet - steals financial information

    FYI...

    Butterfly botnet - steals financial information
    - http://www.darkreading.com/taxonomy/...e/id/231000729
    June 29, 2011 - "A financial-fraud botnet built with the same malware kit used in the now-defunct Mariposa botnet remains active after arrests this month of two Eastern European men who allegedly ran it. Researchers at Unveillance, Panda Labs, and Damballa have been studying the botnet, which has been dubbed "EvilFistSquad" by Damballa and "Metulji" by Unveillance and Panda, for some time now. Unveillance and Panda Labs today announced that the botnet has hit businesses and individuals across 172 or more countries, including the U.S., Russia, Brazil, China, Great Britain, India, and Iran. The botnet uses the Butterfly Bot Kit, a.k.a. Palevo, Pilleuz, and Rimecud, the malware that was used by the Mariposa botnet... researchers say the new Metulji/EvilFistSquad botnet uses Butterfly Bot malware to infect its victims, and then steals bank account credentials and other personal information. The worm spreads via removable drives, namely USB sticks. The researchers say that while some of the botnet's domains were taken down, several other domains are still up, running, and harvesting stolen information from victim machines..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •