Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 39

Thread: Pandemic of the botnets 2012 ...

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow DNS Changer working group ...

    FYI...

    DNS Changer working group ...
    - https://krebsonsecurity.com/2012/02/...hanger-trojan/
    "... Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web... there are still -millions- of PCs infected with DNSChanger... Even if the DNS Changer working group manages to get the deadline extended, the cleanup process will likely take many years. At least, that’s been the experience of the the Conficker Working Group, a similar industry consortium that was created to help contain and clean up infections from the infamous Conficker Worm. That working group was formed in 2009, yet according to the group’s latest statistics, nearly 3 million systems remain infected with Conficker. Given the Conficker Working Group’s experience, shutting down the surrogate DNS network on March 8 may actually be a faster — albeit more painful — way to clean up the problem... Home users can avail themselves of step-by-step instructions at this link* to learn of possible DNSChanger infections..."
    * DNS Changer Working Group (DCWG) - Checking for DNS Changer >> http://dcwg.org/checkup.html

    DNS Changer Eye Chart: http://dns-ok.us/

    Last edited by AplusWebMaster; 2012-02-20 at 16:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Cutwail botnet is back ...

    FYI...

    Cutwail botnet is back ...
    - http://h-online.com/-1437644
    20 Feb 2012 - "According to M86 Security*, the infamous Cutwail botnet (aka Pandex, Mutant and Pushdo) appears to have been reactivated.... in the past few weeks they have registered several waves of HTML emails that were infected with malicious JavaScript and probably originated from Cutwail-infected PCs... the volume of infected emails was 50 times higher between 23 and 25 January, and three further waves from 6 February were found to be as much as 200 times higher. Infected emails had subject lines such as "FDIC Suspended Bank Account", "End of August Statement" and "Scan from Xerox WorkCentre". The embedded JavaScript code tries to inject malware into computers through various security holes in, for example, old versions of Acrobat Reader. In some cases, the "Cridex" data-stealing trojan has been installed. The botnet uses the "Phoenix Exploit Kit", which... achieves infection rates of more than fifteen per cent. In early January**, details of the operators of the Cutwail botnet became public."
    * http://labs.m86security.com/2012/02/...tachment-spam/

    ** http://h-online.com/-1403253

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation DNS Changer - Surrogate svrs Operation extention Request filed

    FYI...

    DNS Changer - Surrogate servers Operation extention Request filed
    - https://krebsonsecurity.com/2012/02/...ine-extension/
    Feb 22, 2012 - "... In a Feb. 17 filing with the U.S. District Court for the Southern District of New York, officials with the U.S. Justice Department, the U.S. Attorney for the Southern District of New York, and NASA asked the court to extend the March 8 deadline by more than four months to give ISPs, private companies and the government more time to clean up the mess. The government requested that the -surrogate- servers be allowed to stay in operation until July 9, 2012. The court has yet to rule on the request, a copy of which is available here (PDF)*... the six Estonian men arrested and accused of building and profiting from the DNSChanger botnet are expected to be extradited to face computer intrusion and conspiracy charges in the United States..."
    * http://krebsonsecurity.com/wp-conten...rextension.pdf
    ___

    DNS Changer Working Group (DCWG) - Check for DNS Changer >> http://dcwg.org/checkup.html

    DNS Changer Eye Chart:
    DNS configuration test pages (Eye-chart):
    http://dns-ok.de/
    http://dns-ok.fi
    http://dns.ax
    http://dns-ok.us ...
    ___

    - http://www.internetidentity.com/news...hanger-malware
    Feb 2, 2012 - "... IID found at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012..."

    - https://www.computerworld.com/s/arti...K_users_online
    Feb 22, 2012 - "... the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web last month. Each IP address represented at least one computer, and in some cases, numerous machines..."

    Last edited by AplusWebMaster; 2012-03-06 at 03:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down DDoS attacks - H2 2011

    FYI...

    DDoS attacks - H2 2011
    - http://www.securelist.com/en/analysi..._in_H2_2011#p1
    02.22.2012 - "... launched from computers located in 201 countries around the world... DDoS attack sources have changed... new leaders: Russia (16%), Ukraine (12%), Thailand (7%) and Malaysia (6%)... zombie computers from 19 other countries ranges between 2% and 4%..."
    DDoS traffic sources by country – H2 2011: http://www.securelist.com/en/images/...m_pic04_en.png

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy ZeuS-SpyEye P2P use – banking Trojans ...

    FYI...

    ZeuS-SpyEye P2P use – banking Trojans ...
    - http://www.theregister.co.uk/2012/02/27/p2p_zeus/
    27 Feb 2012 - "New variants of the Zeusbot/SpyEye cybercrime toolkit are moving away from reliance on command-and-control (C&C) servers towards a peer-to-peer architecture... Now cybercrooks have built functionality into Zeusbot/SpyEye that allows instructions to be distributed via P2P techniques as well, eliminating the need for C&C servers. Compromised systems are now capable of downloading commands, configuration files, and executables from other bots, a write-up by security researchers at Symantec explains*... tracking banking botnet activity and identifying the cybercrooks behind such networks is likely to become more difficult as a result of the architectural changes that have come with the latest version of ZeuS/SpyEye... Other changes to the malware creation toolkit include greater reliance on UDP communications – a stateless protocol that's harder to track and dump than TCP – as well as an extra encryption layer. Both ZeuS and SpyEye are best described as cybercrime toolkits that can be used for the creation of customised banking Trojans. The code base of the two former rivals was merged last year, leading to the creation of strains designed to target mobile banking customers..."
    * http://www.symantec.com/connect/blog...tifying-botnet

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow DNS Changer gets extension for infected PCs fix...

    FYI...

    DNS Changer gets extension for infected PCs fix...
    - https://krebsonsecurity.com/2012/03/...-infected-pcs/
    Mar 6, 2012 - "Millions of PCs sickened by a global computer contagion known as DNSChanger were slated to have their life support yanked on March 8. But an order handed down Monday by a federal judge will delay that disconnection by 120 days to give companies, businesses and governments more time to respond to the epidemic. The reprieve came late Monday, when the judge overseeing the U.S. government’s landmark case against an international cyber fraud network agreed that extending the deadline was necessary “to continue to provide remediation details to industry channels approved by the FBI”..."
    ___

    DNS Changer Eye Chart:
    New: http://www.dcwg.org/detect/

    - https://www.us-cert.gov/current/#dnschanger_malware
    April 24, 2012
    ___

    Tool available for those affected by the DNS-Changer
    - https://www.avira.com/en/support-for...tail/kbid/1199
    Last updated: Feb 2, 2012 - "... a restart of Windows will be necessary after the execution of the tool and a successful repair."

    Download Avira DNS Repair-Tool
    - https://www.avira.com/files/support/...NSRepairEN.exe
    ___

    - https://www.us-cert.gov/current/arch..._click_malware
    updated March 7, 2012 - "... new deadline is July 9, 2012..."

    Last edited by AplusWebMaster; 2012-04-25 at 16:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow Zeus botnets disrupted ...

    FYI...

    Zeus botnets disrupted ...
    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    25 Mar 2012 - "... This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71* to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot). Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat. The Zbot/Zeus threat has targeted the financial sector for quite some time... Millions of dollars of fraud are a result of this family of threat and it has taken cross-industry collaboration to take effective action against it. Microsoft has partnered with FS-ISAC, NACHA, Kyrus Tech, F-Secure and others to disrupt a large portion of the command and control infrastructure of various botnets using Zbot, Spyeye and Ice IX variants of the Zeus family of malware... MMPC is committed to partnering across the industry to help disrupt threats to the Internet and our customers. We will have more to share on Project MARS and related operations as we move forward."
    * https://blogs.technet.com/b/microsof...edirected=true

    - https://www.f-secure.com/weblog/archives/00002337.html
    March 26, 2012 - "... abuse.ch's ZeuS Tracker* are currently reporting 350 C&C servers online, so there's plenty more work to do done..."
    * https://zeustracker.abuse.ch/index.php
    ___

    - http://www.theinquirer.net/inquirer/...t-zeus-botnets
    Mar 26 2012 - "... Microsoft said it has detected more than 13 million suspected infections of this malware worldwide..."
    - http://www.theregister.co.uk/2012/03...tnet_takedown/
    March 26, 2012
    - https://www.nytimes.com/2012/03/26/t...ine-crime.html
    March 26, 2012

    Last edited by AplusWebMaster; 2012-03-27 at 12:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow Kelihos.B botnet sinkholed...

    FYI...

    Kelihos.B botnet sinkholed...
    - http://blog.crowdstrike.com/2012/03/...000-nodes.html
    March 28, 2012 - "... CrowdStrike has teamed up with security experts from Dell SecureWorks, the Honeynet Project and Kaspersky to take out a peer-to-peer botnet which we believe is the newest offspring of a family that has been around since 2007: Kelihos.B, a successor of Kelihos, Waledac and the Storm Worm. Traditionally, the botnets in this family are known for spamming, but the newest version is also capable of stealing bitcoin wallets from infected computers... Just like its brothers, Kelihos.B relies on a self-organizing, dynamic peer-to-peer topology to make its infrastructure more resilient against takedown attempts. It further uses a distributed layer of command-and-control servers with hosts registered in countries like Sweden, Russia, and Ukraine that are in turn controlled by the botmaster... We are working with our partners to inform ISPs about infections in their network and make sure that Kelihos.B remains safely sinkholed..."

    - https://krebsonsecurity.com/2012/03/...s-spam-botnet/
    March 28, 2012

    OS versions - botted w/Kelihos.B
    - https://www.securelist.com/en/images.../208193433.jpg
    Bot locations:
    - https://www.securelist.com/en/images.../208193434.jpg

    - http://www.darkreading.com/taxonomy/...e/id/232700418
    Mar 28, 2012

    - http://www.secureworks.com/research/...tnet_takeover/
    28 March 2012

    - https://www.virustotal.com/file/c696...3aae/analysis/
    File name: db95341667fb5e5553a1cb0113e21205
    Detection ratio: 13/42
    Analysis date: 2012-03-27 19:51:52 UTC
    - https://www.virustotal.com/file/9dae...da4c/analysis/
    File name: 84cbcfababd4eafd1a8a4872b9169362
    Detection ratio: 15/42
    Analysis date: 2012-03-27 20:06:04 UTC

    Last edited by AplusWebMaster; 2012-03-30 at 15:24.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Kelihos.B - still live and social

    FYI...

    Kelihos.B - still live and social
    - http://blog.seculert.com/2012/03/kel...nd-social.html
    March 29, 2012 - "... Several weeks ago, Seculert discovered that Kelihos.B had found a new and "social way" to expand, using an already-known social worm malware*, but now it had started targeting Facebook users... Up to now Seculert has identified more than 70,000 Facebook users that are infected with the Facebook worm, and sending the malicious links to their Facebook friends...
    [Pie chart/infections by country]: http://3.bp.blogspot.com/-h4itoyKTpV...bwormstats.png
    ... at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm. Also, there is there is still communication activity of this malware with the Command-and-Control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam. Some might call this "a new variant", or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B."
    * http://blog.emsisoft.com/2011/04/19/...ot-u-surprise/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Mac botnet 550,000 strong

    FYI...

    550,000 strong Mac botnet
    - http://news.drweb.com/?i=2341&c=5&lng=en&p=0
    April 4, 2012 - "... Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507)... Over 550,000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback* modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth..."
    * http://vms.drweb.com/search/?q=BackDoor.Flashback

    Charted: https://st.drweb.com/static/new-www/...ril/map2.1.png

    - https://www.securelist.com/en/blog/2...tnet_confirmed
    April 06, 2012 Kaspersky - "... we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses... More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs..."
    ___

    - https://krebsonsecurity.com/2012/04/...mac-java-flaw/
    April 4th, 2012

    Trojan-Downloader:OSX/Flashback.I
    - https://www.f-secure.com/v-descs/tro...shback_i.shtml
    Detection Names: Exploit:Java/Flashback.I, Trojan-Downloader:OSX/Flashback.I, Trojan:OSX/Flashback.I, Backdoor: OSX/Flashback.I
    Category: Malware
    Type: Trojan-Downloader
    Platform: OSX
    "... Manual Removal... recommended only for advanced users..."

    Last edited by AplusWebMaster; 2012-04-08 at 05:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •