Pandemic of the botnets 2009

Status
Not open for further replies.
MS08-067 exploit updated...

FYI...

- http://preview.tinyurl.com/dl3pz9
04-08-2009 Symantec Security Response Blog - "We have come across a system infected with W32.Downadup.C that has provided some interesting information. We discovered some similarly named files, 484528750.exe and 484471375.exe, which had shown up in the \Windows\temp folder within one minute of each other. These files turned out to be W32.Waledac and a modified W32.Downadup variant, respectively..."

- http://www.viruslist.com/en/weblog?weblogid=208187654
April 09, 2009 Kaspersky blog - "The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files... once again it’s a worm, and it’s only functional until 3rd May... One of the files is a rogue antivirus app... The first version of Kido, detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009 .com., spywrprotect-2009 .com, spywareprotector-2009 .com... Once it’s run, you see the app interface, which naturally asks if you want to remove the threats it’s “detected”. Of course, this service comes at a price - $49.95... At the moment, the rogue antivirus comes from sites located in Ukraine (131-3.elaninet .com.78.26.179.107) although Kido is downloading it from other sites. The latest version of Kido also downloads Email-Worm.Win32.Iksmas.atz to infected systems. This email worm is also known as Waledac, and is able to steal data and send spam... Both Kido and Iksmas are now present on infected machines and part of the gigantic botnet designed to conduct spam mailings..."
(Screenshots available at the viruslist/Kaspersky URL above.)

- http://www.f-secure.com/weblog/archives/00001652.html
April 9, 2009

- http://asert.arbornetworks.com/2009/04/conficker-did-not-melt-the-internet/
April 9, 2009

:fear::fear:
 
Last edited:
New Waledac variant in the wild

FYI...

New Waledac variant in the wild
- http://securitylabs.websense.com/content/Alerts/3343.aspx
04.16.2009 - " Websense... has detected a new Waledac variant in the wild being distributed via email since yesterday. The new campaign uses a theme whereby the user is enticed to download an application that will permit them to view other people's SMS messages online. The download file uses alternating filenames, including sms.exe, freetrial.exe, and smstrap.exe. ThreatSeeker has identified thousands of spam emails using this theme. Not all major antivirus vendors are currently detecting this threat..."

Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090416
16 April 2009

- http://blog.trendmicro.com/new-waledac-campaign-sms-snooping-software/
Apr. 16, 2009

- http://www.f-secure.com/weblog/archives/00001658.html
April 16, 2009

(Screenshots available at all URLs above.)

Fake SMS Reader Spam in Russian Language: Malicious Web Site / Malicious Code
- http://securitylabs.websense.com/content/Alerts/3344.aspx
04.16.2009

- http://blog.trendmicro.com/online-casino-geocities-and-waledac/
Apr. 15, 2009 - "... Waledac updated its spam emails and is now spamming online casino advertisements..."
(Screenshots available at the TrendMicro URL above.)

:fear::fear:
 
Last edited:
WALEDAC’s latest Spamming fetish

FYI...

WALEDAC’s latest Spamming fetish
- http://blog.trendmicro.com/waledac’s-latest-spamming-fetish/
Apr. 21, 2009 - "WALEDAC has found a new fetish — spamming users with email messages on free foot fetish movies... clicking the link in the spammed email redirects users to websites featuring foot fetish videos. WALEDAC is notorious for employing various social engineering techniques that leads users to a series of malware infections. This being the third of the recent WALEDAC spam runs we’ve seen, its quite safe to assume we’ll be seeing more of this runs in the near future."
(Screenshots available at the URL above.)

- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090421
21 April 2009

:fear::mad:
 
New botnet found - 1.9M bots...

FYI...

New botnet found - 1.9M bots
- http://www.finjan.com/MCRCblog.aspx?EntryId=2237
Apr 22, 2009 - "... recent discovery of a network of 1.9 million infected computers controlled by cybercriminals... We found that the botnet’s command and control server is hosted in Ukraine. As folders on this server were left open, we were able to get more information for our research. The server has a nice backend management application making it easy for the attackers to manage the infected machines. One of the management console features that we identified is a Command Editing panel through which instructions are sent to the infected machines (bots). We have seen commands asking the bots to download and execute additional malware, download settings files, apply update files etc... This command instructs the bot on the infected computers to download and execute a Trojan horse... only 4 out of 39 Anti-Virus products detected this Trojan... The description field of this command led us to a hacker’s forum in Russia with a post requesting to trade in infected computers... (Another) command instructs the infected machines to download and execute a Trojan horse that later installs a group of other malicious executables without the user’s consent... Overall, the cybergang can remotely execute anything it likes on the infected computers. The log file on the server disclosed the IP addresses of the infected computers and their names in the network..."

(Screenshots available at the URL above.)

:mad::fear::mad:
 
Gov systems found on 1.9m zombie botnet

FYI...

Gov systems found on 1.9m zombie botnet
- http://www.theregister.co.uk/2009/04/22/superbotnet_server/
22 April 2009 - "... cybercrooks collectively compromised computers in 77 government-owned domains (.gov) from the UK, US and various other countries. The malware that featured in the attack allowed hackers complete control of compromised PCs, nearly all of which were running Windows XP. A variety of malicious actions, from reading emails to copying files, keystroke logging, and spam distribution were all possible. Since discovering the botnet, Finjan has supplied information to the server to UK and US law enforcement agencies. The command server is now out of commission. Finjan has informed affected corporate and government agencies about infected computer names, in a move that will hopefully result in a clean-up operation..."

:fear::fear:
 
Tracking Spam Botnets...

FYI...

Tracking Spam Botnets...
- http://www.marshal8e6.com/trace/bot_statistics.asp
April 12, 2009 - "...spamming botnets are constantly in flux. Botnets morph, become obsolete, replaced, taken down, and upgraded. One thing is clear, a mere handful of botnets are responsible for the bulk of all spam sent. This page pulls together some of the results of our latest research, highlighting details about some of the most notorious spamming botnets..."
(Graphs and more detail available at the Marshal URL above.)

- http://www.theregister.co.uk/2009/04/23/botnet_speed_test/
23 April 2009 - "... Xarvester and Rustock threw off the most junk mail, 25K messages an hour or the equivalent of 600K spams a day. The data on spam rates was harvested from a wider research project into botnets run by Marshal8e6 over the last two years..."

:fear:
 
Botnet probe finds 70GB of data...

FYI...

Botnet probe turns up 70GB of personal, financial data
- http://preview.tinyurl.com/cmzd68
May 4, 2009 (Computerworld) - "...it steals personal and financial data. The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as e-mail passwords and online banking credentials. The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions... Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers. The researchers stored the data and are working with law enforcement agencies such as the U.S. Federal Bureau of Investigation, ISPs and even the U.S. Department of Defense to notify victims... Torpig/Sinowal can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers. Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack... The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007. Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted. Mebroot can also download other code to the computer. Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said*. If a person goes to a banking Web site, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.... Web sites using SSL (Secure Sockets Layer) encryption are -not- safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted..."
* http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html

:fear::mad::fear:
 
McAfee: 12M added to botnets Q1-2009

FYI...

McAfee: 12M added to botnets Q1-2009
- http://newsroom.mcafee.com/article_display.cfm?article_id=3515
May 05, 2009 - "... cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008... Cybercriminals are building an army of infected, “zombie” computers to recover from last November’s takedown of a central spam-hosting ISP...
Other Key Findings:
• The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone
• Servers hosting legitimate content have increased in popularity with malware writers to distribute malicious and illegal content
• Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their location
• Compared to the overall landscape, the Conficker worm represents a small subset of all threat reports. Autorun malware, a vector used by certain Conficker variants, represented only 10% of all detections reported during the first quarter.
To view the full report, please visit: http://www.mcafee.com/threatsreport ."

:buried:
 
Botnet self-destructs - "Zeus" command

FYI...

Botnet self-destructs - "Zeus" command
- http://voices.washingtonpost.com/securityfix/2009/05/zeustracker_and_the_nuclear_op.html
May 7, 2009 - "... Hüssy oversees Zeustracker*, a Web site listing Internet servers that uses Zeus**, a kit sold for about $700 on shadowy cyber criminal forums to harvest data from computers infected with a password stealing Trojan horse program. One of Zeus's distinguishing features is a tool that helps each installation on a victim PC look radically different from the next as a means to evade detection by anti-virus tools. According to Hüssy, among Zeus's many features is the "kos" option, which stands for "kill operating system"... In early April, Hüssy began tracking a Zeus control server used to receive data stolen from a botnet of more than 100,000 infected systems, mostly located in Poland and Spain. While investigating this newfound Zeus control server, he noticed something unusual: the "kill operating system" had just been issued to all 100,000 infected systems. Hüssy said he has no idea why the botnet was destroyed... Currently, about one-third of the sites listed at Zeustracker are hacked or free Web services..."
* https://zeustracker.abuse.ch/monitor.php?filter=online
** http://rsa.com/blog/blog_entry.aspx?id=1274

:fear::mad:
 
Pirated Windows 7 comes with trojan - botnet

FYI...

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=217400548
May 12, 2009 - "A pirated version of the new Windows 7 operating system release candidate that has been circulating around the Internet is also building out a botnet. The rogue OS, which is rigged with a Trojan downloader*, at one point had around 27,000 bots in its control as of May 10, when researchers took over the command and control server that communicated with the bots and served them additonal malware. At the height of the botnet buildup, the botmaster was recruiting over 200 machines an hour... Damballa researchers on Sunday grabbed control of the C&C domain, but they say this is likely just one of many versions of rogue Windows 7 OS... Damballa's Cox says most traditional antivirus software is unable to detect the pirated Windows 7 Trojan because the OS itself is infected and most AV solutions don't yet support Windows 7..."
* http://blog.trendmicro.com/cybercriminals-launch-tainted-windows-7-rc/

:fear::mad:
 
Pushdo botnet - recent findings

FYI...

- http://blog.trendmicro.com/pushdocutwail-–-the-art-of-spamming/
May 12, 2009 - "... One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide... One of the latest batches contains an executable which displayed popup ads to the user, most probably from an advertiser who paid good money for the mass-deployment of their software. The only component that is always present is the spamming engine, which some antivirus vendors have dubbed as Cutwail..."

- http://blog.trendmicro.com/pushdocutwail-–-from-russia-with-love-part-2-of-5/
May 13, 2009 - "... The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area. Like other spam botnets Pushdo’s spamming component, known as Cutwail, sends spam in waves, each advertising a particular service. Normally these consist of porn, pharmacy spam etc – but it was when we started to see ads for Salsa classes and Construction services that we became really interested... As part of our research we contacted the gang on one of the numbers they provided, posing as a potential customer of their spamming services. As customer service satisfaction goes these guys were very helpful, providing us with bank account details that we could pay them through, and even offering to pick up the money in person if we were based in Moscow. On top of that they would throw in a free website design to promote our business, and offered to craft their “advertising mail services” (that’s unsolicited spam to you and me) to best avoid anti-spam signatures..."

(Screenshots available at both URLs above.)

:fear:
 
The "Finjan botnet"...

FYI...

- http://www.secureworks.com/research/blog/index.php/2009/05/12/following-the-trojan-trail/
May 12, 2009 - "... The "Finjan botnet" appears to be large... credit to FireEye for trying to track down the Finjan Botnet that Finjan first reported on. Reading through the Finjan and FireEye write-ups, one is able to reconstruct the trail and also discover the path taken. We can see two major types of Trojans that play a part in this. We have the VBInject Trojan and the AutoIt Trojan... There are two servers on the same network to which -VBInject- phones home: x.x.62.2 and x.x.21.186. The server at x.x.21.186 is no longer responsive and appears down at this time. The server at x.x.62.2 is still up and DNS still responds with that IP address for the domain name used in these attacks. If you actually try to browse to that domain though, you will not arrive at this server. As you can see from reading the FireEye article, the Trojan phones home to /ldr/loadlist.php. It downloads more malware from /ldr/dl/. One of the Trojans it downloads is -AutoIt-... This is the AutoIt Trojan phoning home and the response is to download around 15 pieces of malware...
As you can see by following the trail, gone are the days where you have just one Trojan infection. When you become infected today, it is best to just do a complete reformat of your machine instead of trying to recover it, because you really don’t know how many infections you have. I have read plenty of articles where someone cleans their machine and they think everything is fine only to find more malware days to weeks later.
There is not any perfect AV tool; there is no perfect solution for any one problem. Your best defense is to practice what is called defense in depth and to only go to known websites. Don’t open mail from people you don’t know and be careful opening attachments from people that you do know. Update your OS and software regularly, including AV. Just having AV does not mean that you are protected; you also have to keep it updated."
• FireEye Blog - http://blog.fireeye.com/research/2009/04/botnetweb-part-ii.html
• Finjan article - http://www.finjan.com/MCRCblog.aspx?EntryId=2237
• Prevx shows ZCHMIB.EXE - http://www.prevx.com/filenames/1521641268775071064-X1/ZCHMIB.EXE.html
• ThreatExpert shows TDSS/Seneka activity - http://www.threatexpert.com/report.aspx?md5=5a1a6f4e83900e86c3e7dc62554318ac

(More detail and screenshots available at the Secureworks URL above.)

// http://forums.spybot.info/showpost.php?p=306776&postcount=25
 
Golden Cash botnet

FYI...

Golden Cash botnet
- http://www.finjan.com/MCRCblog.aspx?EntryId=2281
June 17, 2009 - "... A user visits a legitimate compromised website which contains malicious Iframe. This Iframe causes the victim’s browser to pull the exploit code from a server armed with the exploit toolkit. Upon successful exploitation, a special build of a Trojan, created for the attacker, is being pulled from Golden Cash server. Once installed, the Trojan reports back to the Golden Cash server and the attacker’s account at Golden Cash is credited with currency. The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP-grabber (to steal FTP-credentials). Our research found about 100,000 stolen FTP-credentials on the Golden Cash server. The victim’s machine is now in a pool of infected machines controlled by Golden Cash and being auctioned to other criminals, using a different website for buyers. From time to time, the victim’s machine gets instructions to install malware on behalf of the criminal-customer. The Trojan on the victim machine reports back to Golden Cash on each successful installation of the customer’s malware and the criminal-customer account is charged with currency. The victim machine is back in the ‘available for more infections’ pool.... the botnet spreads using distributors. For each distributor, a special bot build is created. The special build assists the cybercriminal to track the installations of each distributor... Some of the stolen FTP-credentials were used to inject malicious Iframe to the webpages that were stored on the FTP server. The reason for this was to infect more machines and generate organic growth. The C&C server is hosted in Texas, US; the registrant country is China. The “proxy’ website that tunnels traffic to the C&C server is hosted in Krasnodar, Russia."

(Screenshots available at the URL above.)

:fear::mad::fear::secret:
 
SPAM - from Waledac...

FYI...

SPAM - from Waledac...
- http://www.eset.com/threat-center/blog/?p=1285
July 7, 2009 - "... After 4th July, we have noticed an increase in the number of emails in circulation, and this week will be even more active. We believe that, like other campaigns, this one will last at least 15 days. However, what many readers may be wondering is why Waledac was “asleep” so many months. The reality is that the Trojan wasn’t spreading at that point. However, the botnet that was built with Waledac, remained as active as ever; working mainly to achieve their most important goal: to send spam. At ESET Latinamerica’s Laboratory, we made some tests to enable us to share information with users that shows the importance of staying uninfected: if my computer is infected with Waledac, how much spam does it send? We infected a computer in the laboratory with one of the Waledac trojans...
After that, we used a tool to monitor network traffic to see how many emails were sent by the botnet, since the system became infected . We made an initial measurement in 4 stages over a period of one hour (at different times of day), and the results were as follows:
• Stage 1: between 18:00 and 19:00 hs. 6968 emails were sent
• Stage 2: between 20:30 and 21:30 hs. 7148 emails were sent
• Stage 3: between 10:00 and 11:00 hs. 5610 emails were sent
• Stage 4: Between 13:00 and 14:00 hs. 6568 emails were sent
Taking the average of emails sent per hour (6548 emails), it is estimated that an infected computer can send about 150,000 emails a day. To be even clearer, that represents nearly two emails per second... If we consider that the network is estimated to consist of at least 20,000 infected computers, it can be seen that the botnet has a theoretical spam-sending capacity of 3 billion emails daily... many users will now understand why their computers work so slowly when their systems are infected..."

:fear::spider::fear:
 
Last edited:
Malware authors exploiting Conficker

FYI...

- http://www.techworld.com/security/news/index.cfm?newsID=119223
15 July 2009 - "Creators of Waledac malware have used the Conficker botnet as a tool to spread malware of their own, marking the first time Conficker was made available for hire, according to Cisco. Writing in its mid-yearly security report*, Cisco said that this was symptomatic of a wider trend of malware purveyors using established business practices to expand their illegal enterprises. Cisco likened the arrangement between Waledac and Conficker to a partner ecosystem, a term Cisco uses to describe its collaboration with other vendors. Waledac used the Conficker distribution channel to send spam and to expand its own botnet... Web sites that are infected to download malware to unsuspecting visitors will increase, the report predicted. These sites represent nearly 90 percent of all web-based threats, the report says. Creation of botnets would be a particular goal of this type of malware..."
* http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html

:mad:
 
Botnet money...

FYI...

Botnet money...
- http://www.viruslist.com/en/analysis?pubid=204792068
July 22, 2009 - "In the past ten years, botnets have evolved from small networks of a dozen PCs controlled from a single C&C (command and control center) into sophisticated distributed systems comprising millions of computers with decentralized control. Why are these enormous zombie networks created? The answer can be given in a single word: money. A botnet, or zombie network, is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. Zombie networks have become a source of income for entire groups of cybercriminals. The invariably low cost of maintaining a botnet and the ever diminishing degree of knowledge required to manage one are conducive to growth in popularity and, consequently, the number of botnets... Botnet owners or developers who have been prosecuted can be counted on the fingers of two hands. Which is not the case with botnets that are live on the Internet: the number of these has exceeded 3600... Without help from users, combating botnets cannot be effective. It is home computers that make up the lion’s share of the enormous army of bots. Neglecting to stick to simple security rules, such as using antivirus software, using strong account passwords and disabling the AutoPlay feature for removable media, can result in your computer becoming another botnet member, providing cybercriminals with your data and resources..."

:fear:
 
Twitter-based botnet command channel

FYI...

Twitter-based botnet command channel
UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE
- http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/
August 13, 2009 - "While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation. The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates. As for the original bot in question that fetches the updates, here’s the VirusTotal analysis*, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them...
UPDATE 14 Aug 2009 - Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil..."

(More detail at the URL above.)

* http://www.virustotal.com/analisis/...42c68d2b02b0284000d24c93f899122139-1249801350
File 40d09b7d94da70ede50866c55f48613c-2358.txt received on 2009.08.09 07:02:30 (UTC)
Result: 19/41 (46.34%)

* http://www.virustotal.com/analisis/...7ec493395a0d0e0365da4bed60272f311e-1250187288
File gbpm.exe received on 2009.08.13 18:14:48 (UTC)
Result: 9/41 (21.95%)

- http://www.symantec.com/connect/blogs/twittering-botnets
August 14, 2009

Infostealer.Bancos heatmap
- http://www.symantec.com/connect/imagebrowser/view/image/974211/_original

- http://www.symantec.com/connect/blogs/downloader-micro-blogging-and-prophecy
August 16, 2009 - "... A new variant of this threat has emerged that uses not only Twitter but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B*. Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the RSS feed from an account registered on Jaiku .com to obtain the location of remote files..."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-081603-5537-99&tabid=2
Discovered: August 16, 2009 = "... may be saved as the following files:
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.exe
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.dll
%Temp%\[SET OF RANDOM NUMBERS]\update.exe (copy of gbpm.exe) ..."

:fear::mad::fear:
 
Last edited:
Ilomo botnet - All your info are belong to us

FYI...

Ilomo botnet - All your info are belong to us
- http://blog.trendmicro.com/all-your-info-are-belong-to-us/
August 24, 2009 - "... Ilomo has (been) active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries. Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware... Ilomo ‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection..."

(Screenshot available at the URL above.)

:fear::mad:
 
Status
Not open for further replies.
Back
Top