Page 1 of 4 1234 LastLast
Results 1 to 10 of 39

Thread: Pandemic of the botnets 2012 ...

  1. #1
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Pandemic of the botnets 2012 ...

    FYI...

    Etrade DDoS attack ...
    - http://www.theregister.co.uk/2012/01...n_ddos_attack/
    January 5, 2012 - "... online broker ETrade, has been the target of a sustained malicious offshore generated cyber attack. The denial-of-service attack resulted in thousands of emails flooding the broking site, prompting a cessation of services from Christmas Eve to the New Year period. According to a Fairfax report*, offshore Etrade clients were the worst affected with some countries unable to access accounts for almost two weeks. An ETrade spokesperson confirmed that while overseas clients were more profoundly affected, Australian clients had intermittent access to their accounts... The Sydney Morning Herald reported** that St George customers were also affected by the attack as its online trading service is supplied by Etrade."
    * http://www.theage.com.au/business/cy...104-1pl3x.html
    January 5, 2012
    ** http://www.smh.com.au/business/st-ge...105-1pmrs.html
    January 6, 2012

    - http://www.theage.com.au/business/cy...104-1pl3x.html
    Jan 5, 2012 - "... While a denial-of-service attack prevents customers and the business from trading, it can also mask other illegal activities. Observers say businesses that have denial-of-service attacks not only lose the value of the business they would have conducted but also goodwill and reputation with the customer base..."

    Global Denial of Service
    - http://atlas.arbor.net/summary/dos
    Summary Report - (Past 24 hours)

    Last edited by AplusWebMaster; 2012-01-07 at 00:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #2
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Carberp on Facebook

    FYI...

    Carberp on Facebook
    - http://www.theregister.co.uk/2012/01...cash_facebook/
    January 18, 2012 - "... Carberp, like its predecessors ZeuS and SpyEye, infects machines by tricking punters into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites. A new configuration of the Carberp Trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer*, can be considered something of an escalation. The Carberp variant replaces any Facebook page the user navigates to with a -fake- page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page asks the mark for their first name, last name, email, date of birth, password and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account... Trusteer warns the cash voucher attack is in some ways worse than credit card fraud, because with e-cash it is the account-holder, -not- the financial institution, who assumes the liability for fraudulent transactions..."
    * http://www.trusteer.com/blog/carberp...facebook-users

    Bot blackmails Facebook users
    - http://h-online.com/-1417073
    19 January 2012 >> http://www.h-online.com/security/new...ew=zoom;zoom=1
    ___

    Some Botnet Stats
    - http://www.abuse.ch/?p=3294

    Lies, Damn Lies, and Botnet Size
    - http://www.shadowserver.org/wiki/pmw...endar/20100705

    Last edited by AplusWebMaster; 2012-01-20 at 15:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #3
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb Koobface goes silent...

    FYI...

    Koobface goes silent...
    - http://www.reuters.com/article/2012/...80I05720120119
    18 January 2012 - "... a pair of researchers on Tuesday published the names, aliases and photographs of a gang they accused of running a criminal enterprise known as Koobface that had primarily targeted Facebook after it cropped up in 2008. German security researchers Jan Droemer and Dirk Kollberg said that servers that ran the Koobface operation stopped responding on Tuesday morning after they released an in-depth report via Kollberg's employer, the UK anti-virus software maker Sophos*... the Koobface gang had continued to target other social networks as a long-running FBI probe failed to result in arrests in Russia... None of the five alleged members of the hacking group could immediately be traced to the reported office addresses or phone numbers in St Petersburg, Russia... The two German researchers said they suspected that the hackers had been working out of a third location in St. Petersburg..."
    * http://nakedsecurity.sophos.com/2012...gang-unmasked/
    January 17, 2012

    - https://www.nytimes.com/2012/01/17/t...ref=technology
    January 16, 2012 - "... These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor... Russia, in particular, has a reputation as a hacker haven, although it has pursued several prominent cases against spammers recently..."
    ___

    Kelihos botnet -aka- Waledac
    - http://blogs.technet.com/b/microsoft...ihos-case.aspx
    23 Jan 2012 - "... Although the Kelihos botnet remains inactive since the successful takedown in September, thousands of computers are still infected with its malware. Please visit: http://www.support.microsoft.com/botnets for free information and tools to clean your computer from malicious software..."

    - https://krebsonsecurity.com/2012/01/...ntivirus-firm/
    January 24, 2012
    - http://www.gfi.com/blog/the-microsof...ngo-continues/
    January 24, 2012

    Last edited by AplusWebMaster; 2012-01-24 at 11:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #4
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Carberp targets French broadband users

    FYI...

    Carberp targets French broadband users...
    - https://www.trusteer.com/blog/intern...nd-subscribers
    January 25, 2012 - "... recently discovered a configuration of Carberp that targets Free, a French broadband Internet service provider (ISP). The attack is designed to steal debit card and bank information using a Man in the Browser (MitB) attack. Free offers an ADSL service, called Freebox, to its customers. When subscribers visit their online account page Carberp launches an HTML Injection attack after the user has logged-in. The victim is presented with a page that claims Free is having a problem processing their monthly subscription payments with the financial institution, and requests that the user update their payment account details... The malware then asks the user to submit their payment card number, expiration date, security code (CVV2), bank name, bank address, zip code and city. The victim is told that this information must be updated in order to make monthly payments and maintain their service... This latest Carberp attack is another example of fraudsters moving downstream from online banking applications to web sites that process debit and credit card payments. By launching MitB attacks that target customers of third party service providers, rather than the banks themselves, fraudsters can prey on the trust established between the victim and a non-financial entity like an ISP..."

    - http://www.infosecurity-magazine.com...e-on-the-rise/
    18 January 2012

    - http://www.microsoft.com/security/po...chdetails_link
    ___

    - http://blog.eset.com/2012/01/26/face...rberp-activity
    Jan 26, 2012 - "... According to our data Carberp’s main activity is confined to the region of Russia and the former Soviet republics, and this activity centered on fraud targeting the major Russian banks and stealing money from RBS (Remote Banking Service) systems... The Russian Federation is the country where the largest number of installations of Carberp has been seen*... Another interesting fact concerns a new DDoS plugin (Win32/Mishigy.AB) for Carberp. This DDoS plugin was developed in Delphi 7 and based on the network components from the Synapse TCP/IP library. Synapse components are very popular among cybercriminals for the creation of DDoS bots... Carberp is one of the biggest botnets in Russian Federation and total number of active bots is estimated to number millions of infected hosts..."
    * http://blog.eset.com/wp-content/medi...at_country.png

    Last edited by AplusWebMaster; 2012-01-26 at 21:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #5
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Drive-by downloads and Blackhole

    FYI...

    Drive-by downloads and Blackhole
    - http://www.sophos.com/en-us/security...t/html-09.aspx
    26 Jan 2012 - "... The most popular drive-by malware we’ve seen recently is called Blackhole. It’s marketed and sold to cybercriminals in a typical professional crimeware kit that provides web administration capabilities. But it offers sophisticated techniques to generate malicious code. And it’s very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious... Blackhole mainly spreads malware through compromised websites that redirect to an exploit site, although we’ve also seen cybercriminals use -spam- to redirect users to these sites. This year we’ve seen numerous waves of attacks against thousands of legitimate sites. We’ve also noticed cybercriminals abusing a number of free hosting sites to set up new sites specifically to host Blackhole. Just like the Blackhole kit itself, the code injected into the legitimate sites is heavily obfuscated and polymorphic, making it harder to detect. The typical payloads we see from Blackhole exploit sites include:
    Bot-type malware such as Zbot (aka Zeus)
    Rootkit droppers (for example TDL and ZeroAccess)
    Fake antivirus
    Typically, the malware on these sites target Java, Flash and PDF vulnerabilities. At SophosLabs we saw a continual bombardment of new PDF, Flash, Java and JavaScript components each day for several months at the end of 2011. We’ve seen a huge rise in the volume of malicious Java files, virtually all of it from exploit sites such as Blackhole..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #6
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Spearphishing attacks - gov't related targets worldwide

    FYI...

    Spearphishing attacks - gov't related targets worldwide
    Malware backdoors government-targeted kit 'using Adobe 0-days'
    - http://www.theregister.co.uk/2012/02...phishing_rats/
    1 Feb 2012 - "... spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed security flaws in Adobe software to implant a Trojan on compromised machines - ultimately opening a backdoor for hackers to take over systems. Once loaded, the malware also cunningly attempts to escape detection by posing as a benign Windows Update utility..."

    > http://blog.seculert.com/2012/01/msu...ce-invite.html
    Jan 31, 2012 - "... Seculert and Zscaler identified similar command and control (C&C) beacon patterns... matching the domain registration info of some of the C&C observed (for example, siseau .com, vssigma .com, etc.), we linked the new "MSUpdater" Trojan to previous attacks, probably conducted by the same group... The targeted attacks... share a few similar technical parameters (thus, regarded as created by the same group of attackers) arrive in emails with a malicious PDF attachment..."

    > http://research.zscaler.com/2012/01/...-targeted.html
    Jan 31, 2012 - "... we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present... The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C)... The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan. Correlating this information with open-source intelligence (OSINT), we were able to find other reports of this Trojan within past targeted incidents, as well as a link to other incidents and compromise indicators..."
    ___

    - http://www.h-online.com/security/new...ew=zoom;zoom=1
    3 February 2012

    Last edited by AplusWebMaster; 2012-02-03 at 22:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #7
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Kelihos botnet ...

    FYI...

    Kelihos botnet remains very much dead after all
    - http://arstechnica.com/business/news...-after-all.ars
    Feb 3, 2012
    ___

    Kelihos botnet resurrected...
    - http://arstechnica.com/business/news...-the-grave.ars
    Feb 1, 2012 - "A botnet capable of delivering almost four billion spam messages per day has been confirmed resurrected more than four months after Microsoft celebrated its untimely demise. Researchers with Kaspersky Lab* reported on Tuesday that Kelihos, a peer-to-peer botnet that also goes by the name Hlux, continues to spew spam in a variety of languages...
    Update: After this article was published, Microsoft sent the following statement:
    "... Microsoft is working with Kaspersky to investigate this question and will provide more information when it becomes available..."
    * http://www.securelist.com/en/blog/65...new_techniques
    Jan 31, 2012

    Last edited by AplusWebMaster; 2012-02-06 at 23:24.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #8
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Cellphone bots ...

    FYI...

    Cellphone bots ...
    - http://www.symantec.com/connect/blog...-mobile-botnet
    Updated: 09 Feb 2012 - "... The -malware- was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware... the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands... the botmaster has been operating at these rates since September 2011. The botnet targets mobile users in China... Revenue generation through premium SMS, telephony, and video services is also limited to the networks of China's two largest mobile carriers... Upon running the Trojanized application, -both- the original clean software and a malicious application (Android.Bmaster*) are installed. Once the malware is installed, an outbound connection from the infected phone to a remote server is generated... SMS numbers in China tend to cost around $0.15 to $0.30 per message, and while this may not seem particularly expensive, it quickly adds up when you factor in the number of the active, infected devices on the botnet and how most users likely would not notice the infection right away. Taking our two example dates as the lower and upper bounds of the number of active infected devices, we can see the botmaster is generating anywhere between $1,600 to $9,000 per day and $547,500 to $3,285,000 per year the botnet is running..."
    * http://www.symantec.com/security_res...020609-3003-99

    - http://web.nvd.nist.gov/view/vuln/de...=CVE-2011-1823
    Last revised: 09/07/2011
    CVSS v2 Base Score: 7.2 (HIGH)
    Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service...

    Last edited by AplusWebMaster; 2012-02-11 at 19:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #9
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Citadel botnets ...

    FYI...

    Citadel botnets... rapid growth
    - https://krebsonsecurity.com/2012/02/...itadel-trojan/
    Feb 9, 2012 - "... researchers there said that they’d observed at least five new versions of Citadel since first spotting the malware on Dec. 17, 2011. Seculert’s Aviv Raff said that means the miscreants behind Citadel are pushing out a new version of the Trojan about once a week..."
    - http://blog.seculert.com/2012/02/cit...e-project.html
    Feb 8, 2012 - "A few weeks ago, Brian Krebs reported* on Citadel, a new variant of the Zeus Trojan. Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem... They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware... Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution - an open-source malware... Seculert's Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011. The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets**..."
    ** http://3.bp.blogspot.com/-rL0YPxLvhH...tadelstats.png
    (Infection rate per country of several Citadel botnets, infecting over 100,000 machines)

    * https://krebsonsecurity.com/2012/01/...ticket-system/
    Jan 23rd, 2012 - "... Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity... The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation..."

    Last edited by AplusWebMaster; 2012-02-20 at 19:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #10
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Waledac malware returns... with password-stealing ...

    FYI...

    Waledac malware returns... with password-stealing ...
    - https://www.computerworld.com/s/arti...g_capabilities
    Feb 16, 2012 - "A new version of the Waledac malware has been spotted on the Internet, but unlike previous variants, which were mainly used for spamming purposes, this one steals various log-in credentials and BitCoins, a type of virtual currency... researchers from network security firm Palo Alto Networks announced in a blog post*... it also steals FTP, POP3 and SMTP user passwords, as well as .dat files for BitCoin wallets. This is the first time that Palo Alto Networks' firewall products have spotted Waledac-related activity since the original botnet was shut down two years ago... the new Waledac version is being distributed through Web sessions, probably with the help of exploits hosted on compromised websites..."
    * http://www.paloaltonetworks.com/rese...ore-than-spam/
    "... it is important to note that this is a -new- variant of the botnet, and not the original version..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •