TT-Bot + ZeuS + BlackEnergy botnets...
FYI...
TT-Bot DDoS Bot Analysis
- http://asert.arbornetworks.com/2010/...-bot-analysis/
April 1, 2010 - "We recently spotted this family in our malware zoo, another HTTP DDoS bot. This one’s identifying mark is the string “User-Agent: TT-Bot 1.0.0″ in the client requests. We do not know if this is a kit, this one appears to be in limited use. We have not explored the server-side of it... Static analysis suggests that the code is written in MS VB 6... At this time this botnet is still live and issuing commands. We do not know how big this botnet is."
ZeuS banking trojan botnet
- http://www.secureworks.com/research/threats/zeus/
March 11, 2010 - "... ZeuS is a well-known banking Trojan horse program, also known as crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored... ZeuS has evolved over time and includes a full arsenal of information stealing capabilities... observed other ZeuS databases for sale on various underground black markets. Their size is typically over 10GB, which is a botnet of approximately 23,000 infected computers (bots)... "
BlackEnergy botnet
- http://www.forbes.com/2010/03/03/cyb...nks_print.html
03.03.10 - "... Secureworks issued a report describing a new cybercriminal group that aims a one-two punch at banks. First it collects banking customers' passwords using a variation of the so-called BlackEnergy software, which has infected thousands of computers worldwide to create a "botnet" of hijacked machines. The machines use the collected passwords to move funds into the hackers' accounts, and then typically delete files from the user's computer to cover their tracks. But what follows that fraud is an unlikely step: a cyberattack known as a "distributed denial-of-service," using a flood of data requests from the infected computers to take down the company's online banking service. "The same botnet that's being used to steal money from banks is launching these denial-of-service attacks on them," says Secureworks* researcher Joe Stewart..."
* http://www.secureworks.com/research/.../blackenergy2/
March 3, 2010 - "BlackEnergy, a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used in the cyber attacks launched against the country of Georgia in the Russia/Georgia conflict. BlackEnergy was authored by a Russian hacker. A comprehensive analysis* of the version of BlackEnergy circulating at the time was done in 2007 by Arbor Networks... There is no distinct antivirus trojan family name that corresponds to the BE2 dropper or rootkit driver. Antivirus engines that detect it either label it with a generic name, or as another trojan - most often it is mis-identified as "Rustock.E", another rootkit trojan from a different malware family. The BlackEnergy rootkit does share some techniques in common with the Rustock rootkit..."
* http://atlas-public.ec2.arbor.net/do...t+Analysis.pdf
"... HTTP-based botnet used primarily for DDoS attacks..."
- http://blogs.forbes.com/firewall/201...t-malware-now/
March 30, 2010
