Pandemic of the botnets 2008

Fast Flux malware...

FYI...

Classmates dot com Fast Flux Malware
- http://asert.arbornetworks.com/2008/12/classmates-dot-com-fast-flux-malware/
December 5, 2008 - "The Gozi infostealer is running around, this time using new domains and a new lure: a “video invitation from your classmates”. This has been going on all week, too. In an email purporting to be from Classmates .com, you’re told to go look at a web page and join up. To view the video you need to .. you guessed it, download a new Flash player. Don’t worry, they’ll help you out... christmasclasses .com, is fast fluxing. If you can, block the hosts via a DNS server or some similar filter... The malcode you download, “AdobePlayer10.exe”, is a Gozi downloader... AV detection is fair (from VirusTotal*). Same basic thing as the Obama malcode from last month:
* downloads addons2.exe from a fast flux host using the domain name albertonixl .com.
* sends the Gozi data to a host in AS44997, BTG transit route block.
Our friends at Secure Works have an excellent writeup on Gozi**. This threat is -not- dead."

* http://www.virustotal.com/analisis/74e55e837c13187d4c4720f388a70aba

** http://www.secureworks.com/research/threats/gozi/

:fear::fear:
 
Mega-D botnet is back...

FYI...

Mega-D botnet is back...
- http://www.theregister.co.uk/2008/12/08/mega_d_returns/
8 December 2008 - "One of the three botnets cut off by the shutdown of rogue ISP McColo is back in business. The Mega-D botnet is back on its feet and throwing off huge volumes of spam... There's generally agreement among other security firms that junk mail levels are increasing to pre-McColo shutdown levels but some confusion about which botnets has woken up to pump out the gunk. IBM's ISS security tools division also notes* increased spam levels. It reckons junk mail volumes are half what they were immediately prior to the McColo takedown, or the same level as at the start of 2008... MessageLabs ventured the opinion*** that of the three botnets hosted by McColo only Srizbi remains homeless. "With the exception of Srizbi, the affected botnets have since found alternative hosting, resulting in a return to spam levels close to those before the takedowns, with rival botnets such as Cutwail and Rustock taking-up the slack left by Srizbi's absence," it said."
* http://blogs.iss.net/archive/mccolo-2.html
December 05, 2008 - "...Over the past few days... spam volume has been picking up the pace. It has now reached 50% of the volume before the takedown... which is also equivalent to the volume we saw at the beginning of the year. The mix of spam we’re seeing is different, too. There has been a notable increase in small, HTML-based mail with minimal or no text and an embedded picture URL. This increase isn’t due to all spammers substantially changing the type of spam they send, it’s due to one botnet, Srizbi, that appears to be recovering faster than the others. The increase of this particular botnet has been noted by others... This spammer also appears to be more concerned about the size of their spam messages, because they’ve gone down from 3.5k to 2.5k on average, possibly due to a new constraint of limited bandwidth..."
** http://www.heise-online.co.uk/news/Botnet-rises-again--/112118

*** http://www.messagelabs.com/mlireport/MLIReport_Annual_2008_FINAL.pdf
(6.3MB PDF file)

:fear::sad::mad:
 
Last edited:
You must log in or register to reply here.
Back
Top