Pandemic of the Botnets 2013

[AplusWebMaster]

FYI...

Kelihos botnet: What victims can expect
- http://research.zscaler.com/2013/08/...an-expect.html
August 27, 2013 - "There is has been a recent surge in security blogs* warning users** to be extra cautious of a new spin on an old threat. Kelihos is a botnet which utilizes P2P communication to maintain its CnC Network. With all of the attention around Kelihos, it should be no surprise that 30/45 AV vendors*** are detecting the latest installer... a now infamous iteration of this botnet installer in action. In particular, I found a file called "rasta01.exe"... the use of P2P style communication via SMTP raised an eyebrow. This particular instance called out to 159 distinct IP addresses... Secondly, we observed the overt way the botnet installs several packet capturing utilities and services. This is done so that the infection can monitor ports 21, 25, and 110 for username and password information... Next, I noticed that the botnet attempts to categorize it's new victim by using legitimate services to gather intelligence. In this instance, the malicious file actually queried the victim IP address on Barracuda Networks, SpamHaus, Mail-Abuse, and Sophos. These services primarily exist to notify users of abuse seen on the site or IP address. Kelihos is using it to to determine if the new victim is already seen as malicious or not. If the victim isn't seen in the CBLs (Composite Block Lists) yet, then it may be used as either a Proxy C&C or Spam-bot... A final point to make about this threat is that it makes no attempt to hide exactly how loud it is regarding network activity. We noted a spike in TCP traffic across a distinct 563 IP addresses in the span of two minutes. Network administrators should take extra care in monitoring users with anomalous levels of traffic. A single node giving off so much traffic to different services in such a small window could be used to identify potential victims."
* http://www.lavasoft.com/mylavasoft/m...et-august-2013

** http://malwaremustdie.blogspot.com/2...in-battle.html

*** https://www.virustotal.com/en/file/7...e3b1/analysis/

[AplusWebMaster]

FYI...

Symantec sinkholes half-million in ZeroAccess Botnet
- http://www.darkreading.com/attacks-b...ndly=this-page
Sep 30, 2013 - "... Symantec has intercepted and redirected more than a half-million machines infected by the pervasive click-fraud botnet ZeroAccess, one of the world's largest botnets. In a race to get one step ahead of the botnet operators, researchers at Symantec made the move to sinkhole ZeroAccess bots when they discovered the botnet's operators were about to push a new version of the malware that fixed weaknesses to allow the botnet to be intercepted and sinkholed... ZeroAccess, which typically boasts some 1.9 million bots and has been in operation since at least 2011, is second in size only to Conficker, which, although dormant, is still spreading around the globe. ZeroAccess is, however, the biggest peer-to-peer botnet, according to Symantec. P2P botnets are tougher to tame because infected machines communicate directly to one another for updates and instructions; there is no central command-and-control that can be taken down by researchers or law enforcement. Symantec began working on ways to sinkhole the botnet this spring and, on June 29, spotted a new version of ZeroAccess malware being spread through the P2P botnet. The new version included fixes for two key design flaws in the malware that, if exploited, would have made sinkholing a snap: specifically, a relatively small list of IPs a bot can communicate with, as well as internal code that left the door open for introducing a rogue IP address - such as a sinkhole - to the bot... The majority of the infected ZeroAccess bots are consumer machines, anywhere from 80 to 90 percent, and Symantec has been working with ISPs and CERTs around the world to share information about the botnet so the infected machines can be cleaned up. Symantec also shared information on ZeroAccess bots that it wasn't able to sinkhole but were communicating with ones it captured. ZeroAccess's main moneymaking method is click fraud. The ZeroAccess gang makes tens of millions of dollars a year on these scams, which basically infect unsuspecting users with the malware that generates phony clicks on false ads for payment.
Symantec tested the activity of a click-fraud bot and found that each bot generates about 257 MB of traffic every hour, some 6.1 GB a day, as well as 42 false ad clicks an hour, or 1,008 per day. A click is worth about a penny, but with 1.9 million bots, it quickly becomes lucrative, according to Symantec. ZeroAccess is a Trojan that employs a rootkit to remain under the radar. It typically spreads via compromised websites in a drive-by download attack and uses the Blackhole Exploit Toolkit, as well as the Bleeding Life Toolkit... Symantec also notes similarities between ZeroAccess and TDL, a.k.a. TDSS and Tidserv... The attackers behind ZeroAccess are out of Eastern Europe, including Russia and the Ukraine, according to Symantec. Seventy to 80 percent of them are based in Eastern Europe, and Russia... ZeroAccess also had previously been used for Bitcoin-mining, but the gang earlier this year got out of that business and doubled down on its click-fraud activities."
* http://www.symantec.com/connect/blog...oaccess-botnet

[AplusWebMaster]

FYI...

Zeroaccess botnet blocked ...
- https://www.europol.europa.eu/conten...ters-disrupted
5 Dec 2013 - "A rampant botnet has been successfully disrupted in a transatlantic operation involving Europol’s European Cybercrime Centre (EC3) and law enforcement cybercrime units from Germany, Latvia, Luxembourg, Switzerland and the Netherlands as well as Europol’s European Cybercrime Centre (EC3). Furthermore the operation was supported by Microsoft Corporation’s Digital Crimes Unit and other technology industry partners. The targeted botnet, known as Zeroaccess, is responsible for infecting over 2 million computers worldwide, specifically targeting search results on Google, Bing and Yahoo search engines, and is estimated to cost online advertisers US$ 2.7 million each month. Today’s action is expected to have significantly disrupted the botnet’s operation, increasing the cost and risk for the cybercriminals to continue doing business and freeing victims’ computers from the malware. The botnet worked as a Trojan horse affecting Windows operating systems so that malware could be downloaded. Microsoft filed a civil suit against the cybercriminals operating the Zeroaccess botnet, and received authorisation to simultaneously -block- incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes. Due to Germany’s initiative Europol’s European Cybercrime Centre (EC3) coordinated a multi-jurisdictional criminal action targeting 18 IP addresses located in Europe. Thanks to the efforts of EC3 and the involved agencies search warrants and seizures on computer servers associated with the fraudulent IP addresses were executed in several of the involved countries..."

- http://krebsonsecurity.com/2013/12/z...n-but-not-out/
Dec 5, 2013 - "... The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”). In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site..."

- http://www.botnetlegalnotice.com/zeroaccess/

[AplusWebMaster]

FYI...

Suspected Active Rovnix Botnet Controller
- https://isc.sans.edu/diary.html?storyid=17180
Last Updated: 2013-12-07 03:02:54 UTC - " We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of 37.9.53.126 (AS 44050). This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:
mashevserv[.]com/config.php?version=[value here]&user=[value here]&server=[value here]&id=[value here]&crc=[value here]&aid=[value here] is where the compromised clients send an HTTP GET request to when requesting a configuration file. If the correct values are inputted the server will return an encrypted configuration file.
mashevserv[.]com/admin appears to be the admin console ...
> https://isc.sans.edu/diaryimages/ima..._adm_panel.PNG
• ericpotic[.]com/task.php has similar values appended to it an when the GET request is done it appears to be some sort of check-in to tell the server it is alive.
• Posts to ericpotic[.]com/data.php are use to exfiltrating data. All communications with C&C are unencrypted over TCP 80.
It also appears this malware has very little detection. This is all we currently have...
[1] https://www.robtex.com/dns/mashevserv.com.html#graph
[2] https://www.robtex.com/dns/ericpotic.com.html#graph
[3] https://www.robtex.com/ip/37.9.53.126.html#whois
[4] http://www.xylibox.com/2013/10/rever...passwords.html ..."
Keywords: Botnet Rovnix Malware Banking Trojan

- https://www.virustotal.com/en/ip-add...6/information/

- http://google.com/safebrowsing/diagnostic?site=AS:44050

[AplusWebMaster]

FYI...

Fraudulent Bot Traffic surpasses Human Traffic ...
- http://www.darkreading.com/applicati...ndly=this-page
Dec 23, 2013 - "There was more bot-driven, fraudulent activity on the Web in the U.S. last quarter than there was human traffic, according to a report posted last week. According to Solve Media's Q3 bot report, fraudulent activity accounted for 51% of U.S. Web traffic in the third quarter - the first time it has surpassed everyday traffic generated by humans. The problem is even bigger in other regions of the globe, according to Solve Media. Estonia (83%), Singapore (79%), and China (77%) had the highest levels of fraudulent Web activity overall, according to the study. Suspicious mobile activity in the United States also increased, up from 22% in Q2 to 27%. Solve Media, which monitors bot traffic as part of its security and digital advertising services, said the growth of fraudulent traffic may change the way online advertisers and commercial organizations approach the Web..."
* http://news.solvemedia.com/post/7048...raffic-q4-2013

> http://solvemedia.files.wordpress.co...ic_q3_2013.png

- http://response.network-box.com/malware