Pandemic of the Botnets 2013

[AplusWebMaster]

FYI...

Virut botnet takedown ...
- https://krebsonsecurity.com/2013/01/...-virut-botnet/
Jan 18, 2013 - "Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals... Some of the domains identified in the takedown effort — including ircgalaxy .pl and zief .pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats... The action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a spam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010... Virut is often transmitted via removable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines behind massive malware deployment systems known as pay-per-install (PPI) networks... It’s not clear how the actions by NASK will impact the long-term operations of the Virut botnet. Many of Virut’s control servers are located outside the reach of NASK, at Russian top-level domain name registrars (.ru). Also, Virut has a failsafe mechanism built to defeat targeted attacks on its infrastructure..."

Botnets Are Everywhere – See How They Spread ...
- http://blog.trendmicro.com/trendlabs...al-botnet-map/
Jan 14, 2013 - "Cybercriminals today create and use botnets to perpetrate their criminal activities. Whether it is to send out Blackhole Exploit Kit spam or to use as entry points into organizations, the one constant is that most bots (victim computers) communicate back and forth with command and control (C&C) servers... we’re publishing a new global map* showing active C&C servers, highlighted by red dots, and bots (victim computers), highlighted by blue dots, to show you where these botnets are located in the world..."
* http://www.trendmicro.com/us/securit...map/index.html

- http://www.symantec.com/connect/blog...r-interruption
7 Jan 2013 - "... the Virut botnet is estimated at approximately 308,000 unique compromised computers that are active on a given day..."

[AplusWebMaster]

FYI...

Gozi takedown - and its distributor
- http://arstechnica.com/security/2013...roof-web-host/
Jan 24, 2013 - "... starting in 2010, the FBI launched an investigation. It didn't take long to find Gozi's creator, a 25-year-old Moscow resident named Nikita Kuzmin. By November 2010, Kuzmin had been arrested during a trip to the US; by May 2011 he pleaded guilty and agreed to forfeit his Gozi earnings, which might reach up to $50 million. Deniss Čalovskis, the 27-year-old Latvian man who allegedly coded the Web injects and customized them for various banks was picked up by Latvian police in November 2012. But it was the bulletproof host behind Gozi who turned out to be the most interesting catch — and who took longest to reel in... FBI agents collected an incredible trove of data on the Gozi conspirators. According to court documents, this data cache included wiretaps, seized servers, an interview with a Gozi distributor, and even a host of chat logs lifted from a server used by the criminals behind Gozi. Despite all that, in the end what brought down the bulletproof host was as simple as a cell phone number. With the number in hand, the FBI worked with the Romanian Police Directorate for Combating Organized Crime (DCCO), since the number was based in Bucharest. The DCCO obtained court permission to tap the phone, then agents listened to calls, watched text messages, and intercepted Web addresses and passwords entered on the handset for three months in the spring of 2012... Last month, Romanian police arrested him bringing the Gozi story to a close. The US government revealed the three arrests today. They unsealed indictments against Kuzim, Čalovskis, and Paunescu which make clear just how young all three men were when the alleged criminal behavior began. Kuzmin got started with Gozi back in 2005, when he was just 18. Čalovskis was allegedly involved since he was 20. Paunescu is only 28 now, and has allegedly been in the bulletproof hosting business for years. Kuzmin pleaded guilty and will be sentenced in the US, where he faces a maximum 95 years in prison. Extradition proceedings are underway for the other two, who could each face a max of 60 years in a US cell."
> https://en.wikipedia.org/w/index.php...29#Description

- https://krebsonsecurity.com/2013/01/...h-gozi-trojan/
Jan 23, 2013 - "... Web injects for Gozi and for customers of the ZeuS Trojan..."

- https://www.abuse.ch/?p=3294

- http://preview.tinyurl.com/audxmfh
Jan 23, 2013 - FBI.gov

- http://www.justice.gov/usao/nys/pres...oziVirusPR.php
Jan 23, 2013

[AplusWebMaster]

FYI...

Bamital takedown
- http://www.symantec.com/connect/blog...tal-bites-dust
Feb 6, 2013 - "Today we are pleased to announce the successful takedown of the Bamital botnet. Symantec has been tracking this botnet since late 2009 and recently partnered with Microsoft to identify and shut down all known components vital to the botnet's operation. Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections. Bamital’s origin can be tracked back to late 2009 and has evolved through multiple variations over the past couple of years. Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks. From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis... Clickfraud, the name used for the type of fraud committed by Bamital, is the process of a human or automated script emulating online user behavior and clicking on online advertisements for monetary gain. Bamital redirected end users to ads and content which they did not intend to visit. It also generated non-human initiated traffic on ads and websites with the intention of getting paid by ad networks. Bamital was also responsible for redirecting users to websites peddling malware under the guise of legitimate software... Bamital is just one of many botnets that utilize clickfraud for monetary gain and to foster other cybercrime activities. Many of the attackers behind these schemes feel they are low risk as many users are unaware that their computers are being used for these activities. This takedown sends a message to those attackers that these clickfraud operations are being monitored and can be taken offline..."

- http://blogs.technet.com/b/security/...edirected=true
6 Feb 2013

- http://h-online.com/-1799528
7 Feb 2013

[AplusWebMaster]

FYI...

Botnet - spreading Android trojans
- http://h-online.com/-1837356
8 April 2013 - "The Cutwail botnet, which has already been spreading the banking trojan known as Zeus, is now also trying to pass around a new Android trojan called Stels. Stels infects Android devices by pretending to be an update for Adobe Flash Player***. In case potential victims aren't on an Android device, the developers of the malware have come up with a backup plan – if the dangerous -spam- links are opened in a browser, such as Internet Explorer, on a desktop or laptop computer, users are redirected to web pages where the Blackhole exploit kit lies in wait. A security team at Dell has published a more detailed analysis* of the attack scenario..."
* http://www.secureworks.com/cyber-thr...ware-analysis/
"The Stels malware is a multi-purpose Android Trojan horse that can harvest a victim's contact list, send and intercept SMS (text) messages, make phone calls (including calls to premium numbers), and install additional malware packages... Many of the campaigns have used the IRS as a lure** due to the March 15 corporate tax return deadline and the April 15 individual tax return filing deadline..."
** http://www.secureworks.com/assets/im...ts.stels.1.png

*** http://www.secureworks.com/assets/im...ts.stels.2.png

- http://www.f-secure.com/weblog/archives/00002539.html
April 8, 2013

[AplusWebMaster]

FYI...

WordPress Botnet from Brute Force Attacks...
- https://krebsonsecurity.com/2013/04/...dpress-botnet/
12 April 2013 - "Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers... Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today... According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations. Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress. Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms... this was the message driven home Thursday in a blog post from Houston, Texas based HostGator*, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites..."

* http://blog.hostgator.com/2013/04/11...e-force-flood/
April 11, 2013

- http://blog.cloudflare.com/patching-...e-wordpress-br
April 11, 2013

- https://www.us-cert.gov/ncas/current...-Botnet-Attack
April 15, 2013

- http://atlas.arbor.net/briefs/index#-1593163055
Elevated Severity
April 15, 2013
Large-scale attacks on WordPress sites could indicate that a large botnet with high-bandwidth is being built.
Analysis: The ongoing financial sector attacks launched as part of Operation Ababil illustrate the damage that can be caused by attackers obtaining access to thousands of web-hosting servers and using them in a coordinated DDoS attack. Compared to botnets composed largely of compromised broadband-connected machines, the additional bandwidth available to most hosting providers and IDC's is attractive to attackers. There is no direct evidence that suggests exactly ultimately how these WordPress sites are intended to be used, however the methodology of attacking web platforms such as WordPress with weak passwords is very similar to the technique put into place by the actors behind Operation Ababil, who have leaned heavily upon Joomla installations to build their botnet. Strong credentials should be used proactively, and network monitoring for the Command & Control server should be put into place. Arbor customers may leverage the recent ATF policy Backdoor.WordPress.FilesMan to alert on flows involving this Command & Control server.
Additional references: http://krebsonsecurity.com/2013/04/b...dpress-botnet/
- http://nakedsecurity.sophos.com/2013...passwords-now/
Source:
- http://vr-zone.com/articles/internet...ers/19672.html

[AplusWebMaster]

FYI...

WordPress Brute-Force attacks affect Thousands of Sites
- http://blog.trendmicro.com/trendlabs...ands-of-sites/
April 22, 2013 - "... large-scale brute force attack. These attacks use brute-force techniques to log into WordPress dashboards and plant malicious code onto compromised blogs and websites. It’s important to note what these attacks aren’t. They are not compromising WordPress blogs using known vulnerabilities in unpatched versions; if anything this current attack is less sophisticated than that – it merely tries to log into the default admin account with various passwords. If it is successful in logging in, it adds code for Blackhole Exploit Kit redirection pages to the blog. We have been monitoring these attacks, and we can confirm that they are indeed taking place. Because they add distinctive URLs to the blogs they have compromised, we can identify the scale of this attack... Over a one-day period, we identified more than 1,800 distinct sites that had been compromised by this attack. This represents a significant increase over the typical number of compromised WordPress sites that we encounter over the same period, highlighting the increased activity related to this particular campaign. Both users and site administrators can help mitigate threats like these. This particular attack only targeted administrator accounts that had -not- changed their default login name (admin). It is advisable that users change this to another login name of their choice. These and other steps to mitigate against this attack are outlined in WordPress’s online manual*..."
* http://codex.wordpress.org/Brute_Force_Attacks

[AplusWebMaster]

FYI...

Pushdo: Latest Variant ...
- http://www.secureworks.com/assets/pd...other/mv20.pdf
05/15/13 - "... The Pushdo botnet is a “downloader” (or loader) primarily used to download and install the Cutwail spam bot. Pushdo is also aware of the IP address and geographical location of its victims. This allows the botmasters to target specific countries/areas for infections. The malware is also known to keep track of anti-virus products and firewall processes running on the system, which can be reported back to the C&C... The author of Pushdo made the botnet more robust by adding a DGA component* as the back up C&C method. This DGA attempts to contact 1,380 domains per day. The adoption of a DGA-based backup mechanism allows the botmaster to be more resilient against take down efforts. The back up mechanism trivially defeats detection methods based on sandboxing and signatures. Within the last two years Damballa Labs noted that Zeus, TDSS/TDL and now Pushdo are all employing DGAs in some aspects of their communications. Furthermore, the inclusion of RSA cryptography ensures that defenders will not be able to use the domains created by the DGA to take control of the botnet (e.g., by pushing a removal tool). Pushdo also utilizes a fake traffic generator to hide both its own C&C traffic and Cutwail’s C&C traffic. The actual malware payload from Pushdo’s C&C is encrypted and hidden within a fake JPEG image file embedded in HTML scraped from legitimate websites. The noisy traffic generator combined with the real C&C server using a fake image file for payloads show the Pushdo botnet controller’s commitment to make identification of the real C&C servers more difficult."
* Domain name generation algorithm (DGA)

- http://www.theregister.co.uk/2013/05...extra_stealth/
17 May 2013 - "... Pushdo has been used to distribute other malware such as ZeuS and SpyEye, as well as conduct spam/phishing campaigns with its Cutwail module. Despite four takedowns in five years of Pushdo command-and-control servers, the botnet (believed to be run by a single Eastern European hacker group) endures. The malware is responsible between 175,000 and 500,000 active bots on any given day. The botnet is typically used to deliver malicious emails with links to websites that foist banking Trojans upon unsuspecting victims. Sometimes, the messages are made to look like credit card statements or they contain an attachment disguised as an order confirmation..."

- https://atlas.arbor.net/briefs/index#313945818
Elevated Severity
May 16, 2013
PushDo, a long-lived malware family that is most known for distributing the Cutwail spambot, has evolved. Network defenders should be aware of the changes.
Analysis: Some of the most serious uses of the Cutwail spambot involve the distribution of spam e-mail that help spread the Zeus banking malware. Since Cutwail and PushDo are so closely related, anyone detecting either should look deeper in order to gain the full incident response picture. Various types of obfuscation and encryption are nothing new for malware - even older malware using such tactics still flies beneath the radar of most - and we see good example of such tactics in the PushDo evolution...

- https://www.trustwave.com/support/la...statistics.asp
Statistics for Week ending May 12, 2013

[AplusWebMaster]

FYI...

The Andromeda spam botnet
- http://blog.trendmicro.com/trendlabs...romeda-botnet/
May 22, 2013 - "... The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives. We’re keeping track of the GAMARUE infection for the past weeks and observed some noteworthy activities. For the past 30 days, we noticed a sudden spike of its variants on May 17. In particular, there was a 82% increase from May 16 – May 17 and another 32% on May 18. A significant bulk of these malware, specifically 63%, is WORM_GAMARUE variants.
> http://blog.trendmicro.com/trendlabs...0days-copy.jpg
... the bulk of infection came from Australia. Last year, Germany was also one of the most GAMARUE-affected countries. However, just months after my first post, we are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.
> http://blog.trendmicro.com/trendlabs...ribution-1.jpg
... the botnet is still active and poses risks to users... we concluded that during this quarter, cybercrime was characterized by old threats made new. The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new tricks. This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. GAMARUE variants are known to propagate via removable drives. It also drops component files instead of copies of itself to make detection difficult. Taking cue from threats like DUQU and KULUOZ, GAMARUE variants also uses certain APIs to inject itself to normal process to evade detection... Because some Andromeda-related spam messages eerily looks like legitimate email notification from vendors, the usual criteria for determining a spam are not sufficient..."

[AplusWebMaster]

FYI...

ZeuS/ZBOT - Q1-2013
- http://blog.trendmicro.com/trendlabs...es-up-in-2013/
May 23, 2013 - "... info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year... The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet. We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months...
> http://blog.trendmicro.com/trendlabs.../ZBOT-2013.jpg
As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII). Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS. Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network. ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated. Both variants send DNS queries to randomized domain names. The difference in GamOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names... old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones..."

[AplusWebMaster]

FYI...

Citadel botnets shutdown
- http://www.reuters.com/article/2013/...9541KO20130606
Jun 5, 2013 - "Microsoft Corp and the FBI, aided by authorities in more than 80 countries, have launched a major assault on one of the world's biggest cyber crime rings, believed to have stolen more than $500 million from bank accounts over the past 18 months. Microsoft said its Digital Crimes Unit on Wednesday successfully took down at least 1,000 of an estimated 1,400 malicious computer networks known as the Citadel Botnets. Citadel infected as many as 5 million PCs around the world and, according to Microsoft, was used to steal from dozens of financial institutions, including: American Express, Bank of America, Citigroup, Credit Suisse, eBay's PayPal, HSBC, JPMorgan Chase, Royal Bank of Canada and Wells Fargo. While the criminals remain at large and the authorities do not know the identities of any ringleaders, the internationally coordinated take-down dealt a significant blow to their cyber capabilities...
> http://pdf.reuters.com/pdfnews/pdfne...29_PRIMARY.jpg
... According to Microsoft, Citadel was used to steal more than $500 million from banks in the United States and abroad, but the company did not specify losses at individual accounts or firms. The American Bankers Association, one of three financial industry groups that worked with Microsoft, said any success in reducing the number of active Citadel Botnets will reduce future losses incurred by banks and their customers... Of the more than 1,000 botnets that were shut down on Wednesday, Microsoft said 455 were hosted in 40 data centers in the United States. The rest were located in dozens of countries overseas. Technicians from Microsoft, accompanied by U.S. Marshals, visited two U.S. data centers in Scranton, Pennsylvania and Absecon, New Jersey to collect forensic evidence..."

- https://www.microsoft.com/en-us/news...6-05DCUPR.aspx
June 5, 2013

- https://net-security.org/malware_news.php?id=2511
6.06.2013

- http://www.symantec.com/connect/blog...enses-breached
6 Jun 2013
- https://www.symantec.com/connect/sit...tion_522px.png
Charted: Citadel infections from January to June 2013

- http://h-online.com/-1884174
6 June 2013
___

Microsoft: 88 Percent of Citadel Botnets Down
- https://blogs.technet.com/b/microsof...edirected=true
25 Jul 2013 - "... we have been able to significantly diminish Citadel’s operation, rescue victims from the threat... According to our data, as of July 23, our coordinated action against the threat has disrupted roughly 88 percent of the Citadel botnets operating worldwide..."