Page 4 of 4 FirstFirst 1234
Results 31 to 39 of 39

Thread: Pandemic of the botnets 2012 ...

  1. #31
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down ZeroAccess botnet ...

    FYI...

    ZeroAccess botnet ...
    - http://www.f-secure.com/weblog/archives/00002430.html
    Sep 20, 2012 - "... ZeroAccess is a very large botnet and there are millions of infections globally. Here's the USA:
    > http://www.f-secure.com/weblog/archi...USA756x464.png
    ... Here's Europe:
    > http://www.f-secure.com/weblog/archi...ope756x464.png ..."

    - http://nakedsecurity.sophos.com/2012...net-uncovered/
    Sep 19, 2012 - "... ZeroAccess* uses a peer-to-peer network to download plugin files which carry out various tasks designed to generate revenue for the botnet owners. Our researchers monitored this network for a period of two months to discover where in the world the peers were located and what kind of files the botnet was being instructed to download. We found the IP addresses of infected machines from a total of 198 countries... Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining..."
    * https://sophosnews.files.wordpress.c...e001.jpg?w=640

    - https://isc.sans.edu/diary.html?storyid=12079
    Last Updated: 2011-11-22 - "... The following tools were tested and worked quite fine against ZeroAccess. Kaspersky TDSSKiller has a good feature to offer a quarantine option if you want.
    Kaspersky: http://support.kaspersky.com/downloa...tdsskiller.zip
    WebRoot: http://anywhere.webrootcloudav.com/antizeroaccess.exe
    McAfee: http://vil.nai.com/images/562354_4.zip
    Ah yes, remember that it will be cleaning one trojan, and that you still have at least a ZeuS running on the system..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #32
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down New DIY DDoS-bot spotted in-the-wild

    FYI...

    New Russian DIY DDoS-bot spotted in-the-wild
    - http://blog.webroot.com/2012/09/28/n...d-in-the-wild/
    Sep 28, 2012 - "... a recently released DIY DDoS bot, which according to its author is a modification of the Dirt Jumper DDoS bot*.
    More details:
    Sample screenshot of the command and control interface of the Russian DIY DDoS Bot:
    > https://webrootblog.files.wordpress....dos_bot_01.png
    ... The bot supports SYN flooding, HTTP flooding, POST flooding and the special Anti-DDoS protection type of flooding. It has also built-in anti-antivirus features allowing it avoid detection by popular host-based firewalls, next to a feature allowing it to detect and remove competing malware bots from the system, preserving its current state for the users of the bot. Moreover, according to its author, it will not work under a virtual machine preventing potential analysis of the malicious binaries conducted by a malware researcher. Another interesting feature is the randomization of the HTTP requests using multiple user-agents in an attempt to trick anti-DDoS protection on the affected hosts. Apparently, the coder behind this malware bot, claims to have the source code of the Dirt Jumper DDoS kit, which we cannot verify for the time being given the fact that the source code for this bot isn’t currently circulating in the wild, and that there are zero advertisements within the cybercrime ecosystem offering to sell access to it..."
    * http://ddos.arbornetworks.com/2012/0...ingly-popular/

    Last edited by AplusWebMaster; 2012-09-28 at 19:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #33
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botmasters recruited for attack on Banks ...

    FYI...

    Botmasters recruited for attack on Banks ...
    - http://blogs.rsa.com/rsafarl/cyber-g...nst-u-s-banks/
    Oct 4, 2012 - "... a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date. By analyzing the details of the gang’s announcement, RSA has managed to link the cybergang’s weapon of choice to a little-known, proprietary Gozi-like Trojan, which RSA has dubbed “Gozi Prinimalka”... According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios. Previous incidents involving this Trojan, handled by RSA and other information security vendors, appear to corroborate the gang’s claims that since 2008 their Trojan has been at the source of siphoning US$5 Million from American bank accounts. Gozi Prinimalka’s similarity to the Gozi Trojan, both in technical terms and its operational aspects, suggests that the HangUp Team — a group that was previously known to launch Gozi infection campaigns — or a group closely affiliated with it, may be the troupe behind this ambitious scheme. If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two... This cyber intelligence notice is based upon ongoing research and analysis by the RSA FraudAction research team. As part of our ongoing cooperation with the security community, RSA has shared details of this information with U.S. law enforcement as well as with its RSA FraudAction Global Blocking Network partners and security teams from the partially known list of potential target U.S. banks. Still, it’s important to note that cyber criminals often make claims they do not necessarily act upon... Security teams should consider the potential urgency and applicability of this intelligence within their specific organization’s threat matrix and risk profile."
    ___

    Akami attack monitor:
    - http://www.akamai.com/html/technology/dataviz1.html
    Oct 6, 2012 15:07 ET
    50.5% above normal...
    ___

    Automated Toolkits named in massive DDoS attacks against U.S. Banks
    - https://threatpost.com/en_us/blogs/a...s-banks-100212
    Oct 2, 2012

    - http://atlas.arbor.net/briefs/index#-1177347673
    Severity: High Severity
    Oct 01, 2012
    Heavy DDoS attack on banks have taken place. Attribution is uncertain.
    Analysis: The attackers used a PHP-based botnet for most of the attacks. The attacks were typically sourced from compromised web applications running vulnerable PHP code. The attackers typically upload a "web shell" to such a vulnerable site and then are able to upload, download and perform other operations on the system. Since such server systems typically have more bandwidth than the usual malware target (a Windows system on a broadband line) the attackers are able to increase their attack volume a great deal more quickly than through the use of windows malware.
    Source: http://money.cnn.com/2012/09/27/tech...cks/index.html

    Last edited by AplusWebMaster; 2012-10-06 at 22:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down ZeroAccess P2P - not C&C ...

    FYI...

    ZeroAccess P2P - not C&C
    - http://blog.trendmicro.com/trendlabs...-bkdr_zaccess/
    Nov 6, 2012 - "... ZACCESS, which is also known as ZeroAccess or SIREFEF. It can push fake applications and other malware onto infected systems, while using its rootkit capabilities to hide from detection. The table below shows Japan places 2nd in terms of infection ranking, followed by US. In fact, Japan Regional TrendLabs received a lot of queries from our customers, which also triggered our in-depth analysis.
    > http://blog.trendmicro.com/trendlabs...cess-chart.png
    Backdoors typically establish each session by connecting from affected PCs to command-and-control (C&C) servers in order to receive commands from attackers. However, it’s not the case that a corresponding session is established from the C&C servers to affected PCs. Based on our analysis of BKDR_ZACCESS, it establishes bidirectional connections with other infected machines using its P2P functionality. This helps reduce the load on its C&C servers, as well as making the network more robust against a potential takedown of its C&C servers. This allows it to send and receive commands between affected PCs and not using any C&C servers.
    > http://blog.trendmicro.com/trendlabs...ZACCESSp2p.jpg
    Because of this, BKDR_ZACCESS can both be a “client” and a “server”. When a PC affected by BKDR_ZACCESS functions as server, it sends commands or other malware as if it was a C&C server. On the other hand, it functions as a client, it connects to IP addresses of affected PCs in its configuration file and update the file. It can then attempt to download and execute other malware. Thus, once infected by BKDR_ZACCESS, affected users can spread infections to other affected PCs. At the same time, they are affected by this malware as a victim... there were a total of almost 35 million active connections between the servers and affected PCs... Some variants of ZACCESS can send spam mails. It is possible that this number is in some underground markets related to cybercrime. In addition, the attackers can use this number to gauge which tactics are successful in infecting users..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #35
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Botnet hidden in Tor network

    FYI...

    Botnet hidden in the Tor network
    - http://h-online.com/-1765530
    10 Dec 2012 - "The Security Street blog* has found a botnet client, the operator of which is hiding behind the Tor network. This trick makes the work of security experts and criminal prosecutors much more difficult. The malicious botnet software, called "Skynet", is a trojan that Security Street found on Usenet. At 15MB, the malware is relatively large and, besides junk files intended to cover up the actual purpose of the download file, includes four different components: a conventional Zeus bot, the Tor client for Windows, the CGMiner bitcoin tool and a copy of OpenCL.dll, which CGMiner needs to crack CPU and GPU hashes..."
    (More detail at the h-online URL above.)

    * https://community.rapid7.com/communi...ht-from-reddit

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #36
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Spambot Kelihos update ...

    FYI...

    Spambot Kelihos update ...
    - https://www.abuse.ch/?p=4878
    Dec 10, 2012 - "... a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012. Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009...
    Infecting removable drives: ... Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10...
    Switching from .eu to .ru: Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru...
    The rise of Kelihos: If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day. But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate...
    So what can a network administrator do to mitigate this threat?
    • Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
    • Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
    • Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
    • Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
    • Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ* ..."
    * http://www.isc.org/community/blog/20...ing-back-dns-0

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #37
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy Butterfly botnet takedown

    FYI...

    Butterfly botnet takedown
    - https://www.fbi.gov/news/pressrel/pr...tterfly-botnet
    Dec 11, 2012 - "The Department of Justice and the FBI, along with international law enforcement partners, announced the arrests of 10 individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States and the execution of numerous search warrants and interviews. The operation identified international cyber crime rings that are linked to multiple variants of the Yahos malicious software, or malware, which is linked to more than 11 million compromised computer systems and over $850 million in losses via the Butterfly Botnet, which steals computer users’ credit card, bank account, and other personal identifiable information... Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware..."
    ___

    - http://h-online.com/-1768325
    13 Dec 2012

    Last edited by AplusWebMaster; 2012-12-13 at 20:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #38
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Feds convict stock Scammers... overlook Spammers

    FYI...

    Feds convict Stock Scammers ...
    - https://krebsonsecurity.com/2012/12/...look-spammers/
    Dec 13, 2012 - "On Wednesday, the U.S. Justice Department announced that it had obtained convictions against a cybercrime gang that committed securities fraud through the use of botnets and spam. Oddly enough, none of the botmasters or spammers who assisted in the scheme were brought to justice or identified beyond their hacker handles... The defendants who pleaded or were found guilty in this case were convicted of orchestrating “pump-and-dump” stock scams. These are schemes in which fraudsters buy up low-priced stock, blast out millions of spam e-mails touting the stock as a hot buy and then dump their shares as soon as the share price ticks up from all of the spam respondents buying into the scam. A press release from the U.S. Attorney for the District of New Jersey* noted that ringleader of the scam, 44-year-old Christopher Rad, of Cedar Park, Texas, communicated with the spammers via Skype, addressing them by their hacker aliases, such as 'breg', 'ega', 'billybob6001' and 'be3ez12'... It’s not clear yet what botnet or other method Rahul/be3ez12 used to blast out his spam during the time he allegedly aided in these stock scams..."
    * http://www.justice.gov/usao/nj/Press...dict%20PR.html
    "... conspiracy to commit securities fraud..."
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #39
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 'Droid botnet discovered across all major networks

    FYI...

    Android botnet discovered across all major networks
    - http://bgr.com/2012/12/18/android-spam-botnet-257993/
    Dec 18, 2012 - "A new Android spam botnet has been discovered across all major networks that sends thousands of text messages -without- a user’s permission, TheNextWeb reported. The threat, which is known at SpamSoldier, was detected on December 3rd by Lookout Security* in cooperation with an unnamed carrier partner. The malware is said to spread through a collection of infected phones that send text messages, which usually advertise free versions of popular paid games like Grand Theft Auto and Angry Birds Space, to hundreds of users each day. Once a user clicks on the link to download the game, his or her phone instead downloads the malicious app. When the app is downloaded, SpamSoilder removes its icon from the app drawer, installs a free version of the game in question and immediately starts sending spam messages. The security firm notes that the threat isn’t widespread, however it has been spotted on all major carriers in the U.S. and has potential to do serious damage..."
    * https://blog.lookout.com/blog/2012/1...t-spamsoldier/
    "... Consistent with CloudMark’s analysis**, we’ve seen a number of different spam campaigns active..."
    ** http://blog.cloudmark.com/2012/12/16...s-spam-botnet/
    "... The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games:
    > http://blog.cloudmark.com/wp-content...3.39.41-PM.png
    ... you have to jump through some hoops to install an Android app from a random web site rather than Google Play...
    > http://blog.cloudmark.com/wp-content...3.15.15-PM.png
    ...Don’t do this..."
    ___

    - http://h-online.com/-1772079
    19 Dec 2012

    Last edited by AplusWebMaster; 2012-12-19 at 17:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •