Pandemic of the botnets 2010

Asprox Spambot resurrects

FYI...

Asprox Spambot resurrects
- http://www.m86security.com/labs/i/The-Asprox-Spambot-Resurrects,trace.1345~.asp
June 5, 2010 - "... on the first day of June, the spamming resumed - this time focused on pharmaceutical campaigns. With the help of Pushdo and Bredolab downloader, it seems Asprox has risen from the dead to build another spamming bot network... analysis also highlights the intricate relationships between individual malware components, and hint at a common gang behind it all."

(Screenshots and more detail available at the URL above.)

:fear::mad:
 
SSH brute force attempts on the rise again

FYI...

SSH brute force attempts on the rise again...
- http://isc.sans.edu/diary.html?storyid=9031
Last Updated: 2010-06-18 12:32:51 UTC - "SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next...
Reader xemaps wrote in with this log snippet:
"Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user."
Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x
Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x
Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x
Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x
Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x
Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x
Reader Ingvar wrote in with a similar pattern:
"On my home system I have seen these login attempts that start with user "aaa" and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day."
Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x
Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x
Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x
Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x
Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x
Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x

Last year ISC Handler Rick wrote up a diary* for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:
• Deploy the SSH server on a port other than 22/TCP
• Deploy one of the SSH brute force prevention tools
• Disallow remote root logins
• Set PasswordAuthentication to "no" and use keys
• If you must use passwords, ensure that they are all complex
• Use AllowGroups to limit access to a specific group of users
• Use as a chroot jail for SSH if possible
• Limit the IP ranges that can connect to SSH ..."

* http://isc.sans.edu/diary.html?storyid=7369

- http://isc.sans.edu/port.html?port=22

MORE INFO...
- http://isc.sans.edu/diary.html?storyid=9034
Last Updated: 2010-06-18 17:05:49 UTC

:mad::fear:
 
Last edited:
(More) Asprox SQL injection attacks

FYI...

(More) Asprox SQL injection attacks
- http://www.m86security.com/labs/i/Another-round-of-Asprox-SQL-injection-attacks,trace.1366~.asp
June 23, 2010 - "... we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks. As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART .RU
HYPERVMSYS .RU
ML63AMGSTART .RU
These domains resolve to Asprox's control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites. When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks... The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search more potential targets... So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection..."

:fear::mad:
 
Botnet has offspring...

FYI...

Botnet has offspring...
- http://www.theregister.co.uk/2010/06/29/kraken_botnet_resurgence/
29 June 2010 - "The Kraken botnet, believed by many to be the single biggest zombie network until it was dismantled last year, is staging a comeback that has claimed almost 320,000 PCs, a security researcher said. Since April, this son-of-Kraken botnet has infected an estimated 318,058 machines - about half as big as the original Kraken was at its height in the middle of 2008, according to Paul Royal, a research scientist at the Georgia Tech Information Security Center. Like its predecessor, the new botnet is a prodigious generator of spam, with a single machine with average bandwidth able to send more than 600,000 junk mails per hour... To evade detection, they use as many as 1,200 unique malware variants. One widely used strain was flagged by just 50 per cent of AV last week, according to this VirusTotal analysis*... The latest Kraken uses domain names offered by dynamic DNS services to corral its bots into command and control channels. Because the addresses are extensions of legitimate domain names, it prevents them from being shut down by registrars..."
* http://www.virustotal.com/analisis/...75808e324ff3a3c7070c9536b52931337c-1277172595
File 07d2421a836b3e943d75917a69bd98ae received on 2010.06.22 02:09:55 (UTC)
Result: 21/41 (51.22%)

:fear::fear:
 
Zeus botnets in UK...

FYI...

Zeus trojan regionally-targeted...
- http://www.theregister.co.uk/2010/07/01/regional_trojan_threat/
1 July 2010 - "Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences. Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud. Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US. The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems..."

More Zeus...
- http://blog.trendmicro.com/zeuszbot-targets-russian-banks/
July 5, 2010 - "... this specific sample targeted several banks around the globe, including Russian banks... This ZeuS/ZBOT sample also targeted banks found in Germany, the United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia, Ireland, the United Arab Emirates, Turkey, and New Zealand..."

:fear::mad::fear:
 
Last edited:
FYI...

Botnet size and Lies, Damn Lies...
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100705
July 05, 2010 - "... If one looks at the targets of online crime, it's hard to draw trends but we can make a few educated guesses. In general, they're targets of opportunity. These days, large companies and financial institutions are actually a reasonably high bar for your average online criminal. Reading reports by Brian Krebs*, the majority of known and reported business victims of online theft are on the smaller side. There's two reasons for this:
1) they tend not to view information security as a high priority, thus making them easier targets and
2) there's more of them and they simply get caught up in widespread mass campaigns.
Don't get caught up in "which is the biggest botnet". Worry about how the botnet is being used. Worry that it's being used to steal money from mom and pop companies who don't stand a chance."

(Charts and more detail available at the Shadowserver URL above.)

* http://krebsonsecurity.com/category/smallbizvictims/

:fear::fear:
 
GootKit - site infections

FYI...

GootKit - site infections
- http://www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp
June 30, 2010 - "... attackers do not infect hundreds of web pages by hand, they use a script or a botnet to do the work for them. Some examples of this are Asprox and Gumblar, which are known for doing mass web site infections, Asprox via SQL injection and Gumblar by using stolen FTP credentials. One other such bot is known as GootKit. We came across this bot when in was installed on one of our test machines by a malicious downloader, along with a host of other malware. Most of Gootkit’s functions are implemented in scripts that are downloaded as tasks from a control server... We are unsure exactly how the control server obtained all of the FTP credentials, but most often these are stolen via keyloggers and information stealing malware installed on a website administrators PC. Gootkit is another example that highlights the highly automated systems that attackers are using to infect web pages en masse. These systems are underpinned and driven by botnets, which give the scalability and anonymity that the cybercriminals desire."

:mad:
 
Zeus v3 in the wild...

FYI...

Zeus v3 in the wild...
- http://www.theregister.co.uk/2010/07/13/zeus_goes_local/
13 July 2010 - "Hackers have created a new version of the Zeus crimeware toolkit that's designed to swipe bank login details of Spanish, German, UK and US banks. The malware payload, described by CA as Zeus version 3, is far more selective in the banks it targets. Previous versions targeted financial institutions around the world while the latest variant comes in two flavours: one that only target banks in Spain and Germany, and a second that only targets financial institutions in the UK and US. In addition the latest version of Zeus contains features that makes it far harder for security researchers to figure out what the malware is doing. Zombie drones on the Zeus botnet operate on a need to know basis, CA explains*... Command and control systems associated with the bot are "mostly hosted in Russia", according to CA..."
* http://community.ca.com/blogs/secur...-3-target-spain-germany-uk-and-usa-banks.aspx

:mad:
 
Mumba botnet campaign

FYI...

Mumba botnet campaign
- http://www.theinquirer.net/inquirer/news/1725904/cybercrimals-thousands-mumba-botnet
Aug 02 2010 - "... the Mumba botnet malware has infected 55,000 PCs around the world. Apparently the botnet has been responsible for stealing up to 60GB of personal data. The compromised data includes bank account details and credit card numbers. The US has suffered the lion's share of the hack with 33 per cent of infected systems, Germany comes in second with 17 per cent, Spain has 7 per cent and the UK 6 per cent while Mexico and Canada each have 5 per cent... the hackers specifically targeted the US in the malware attacks, possibly because it's a bigger target. The Mumba botnet was developed by the Avalanche Group to maximise the number of malware attacks and it uses the latest version of Zeus...."

- http://www.theregister.co.uk/2010/08/02/mumba_botnet_infiltrated/
2 August 2010

:mad:
 
Last edited:
Zeus2 botnet takedown in UK...

FYI...

Zeus2 botnet takedown in UK...
- http://www.theregister.co.uk/2010/08/04/zeus2_botnet_pwns_brit_pcs/
4 August 2010 - "Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers. Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data - including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks - from compromised Windows systems. Trusteer researchers identified the botnet's drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police... The original attack was probably seeded by a combination of infected email attachments and drive-by downloads, according to Amit Klein, Trusteer's chief technology officer. The Windows-based malware used to control zombie clients was a variant of the infamous Zeus cybercrime toolkit, a customisable Trojan keylogger and botnet-control client sold through underground forums that's become the sawn-off shotgun of the cybercrime economy over recent years..."
- http://www.trusteer.com/company/trusteer-in-the-news/2010

:fear::mad:
 
Conficker -still- 6 million strong

FYI...

Conficker -still- 6 million strong...
- http://www.theregister.co.uk/2010/08/05/conficker_analysis/
5 August 2010 - "The unknown crooks behind the infamous Conficker worm may be quietly selling off parts of the huge botnet established by the malware, but virus fighters have no way of knowing because the cryptographic defences of its command and control network have proved uncrackable... The Conficker Working Group* constantly monitors the IP addresses of infected machines as they check into sink holes. Many enterprises associated with infections drop off the radar only to return days or weeks later, probably as the result of the application of infected backups that have not been purged of malware. Utilities such as Microsoft's Malicious Software Removal Tool, effective in cleaning up other infections, have proved ineffective against Conficker because software security updates get disabled on compromised machines..."
* http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

:mad:
 
Last edited:
Zeus botnet raid on UK bank accounts

FYI...

Zeus botnet raid on UK bank accounts...
- http://sunbeltblog.blogspot.com/2010/08/security-lessons-in-zeus-botnet-raid-on.html
August 11, 2010 - "The well-read UK security news site The Register is carrying a story detailing how the operators of the Zeus botnet planted their sophisticated malware on thousands of UK bank customers’ computers, stole log-in information then raided the accounts for more than $1 million with the help of money mules. Bradley Anstis, vice president of technical strategy for M86 Security, which discovered the attack several weeks ago, told The Register that his company is providing information to the bank involved as well as law enforcement officials. He said the M86 identified the botnet a command and control server - hosted in Moldova - and downloaded log files from it. “It also found that the exploit pack used to seed the attack had claimed a much larger number of victims - as many as 300,000 machines. The vast majority were Windows boxes, but 4,000 Mac machines were also hit. The logs also revealed that 3,000 online banking accounts had been victimised between 5 July and 4 August alone,” The Register* said..."
* http://www.theregister.co.uk/2010/08/11/zeus_cyberscam_analysis/

- http://www.m86security.com/labs/i/C...Institution-Hit-by-Cybercrime,trace.1431~.asp
August 10, 2010 - "... new Zeus v3 Trojan"

- http://www.m86security.com/labs/i/Statement-About-Infection-of-Macs-by-ZeuS,trace.1433~.asp
Last Reviewed: August 13, 2010 - "... to clarify our recent paper does -not- report on any ZeuS infections of computers running the Mac OS."

:mad:
 
Last edited:
Botnet floods net with SSH attacks

FYI...

Botnet floods net with SSH attacks
- http://www.theregister.co.uk/2010/08/12/server_based_botnet/
Updated - 12 August 2010 - "A server-based botnet that preys on insecure websites is flooding the net with attacks that attempt to guess the login credentials for secure shells protecting Linux boxes, routers, and other network devices. According to multiple security blogs, the bot compromises websites running outdated versions of phpMyAdmin. By exploiting a vulnerability patched in April*, the bot installs a file called dd_ssh, which trawls the net for devices protected by the SSH protocol... In addition to posing a threat to unpatched websites and SSH-protected devices, the attacks are also creating headaches for large numbers of non-vulnerable sites... this SANS Diary post** reports having success in warding off the attacks with DenyHosts***, an open source script that pools IP blacklists from more than 70,000 users. A better countermeasure still is to configure SSH devices to use a cryptographic key, something that is orders of magnitude harder to brute-force than a simple password..."

* http://www.debian.org/security/2010/dsa-2034

** http://isc.sans.edu/diary.html?storyid=9370
Last Updated: 2010-08-12 09:31:57 UTC ...(Version: 5)

*** http://denyhosts.sourceforge.net/
___

- http://www.theregister.co.uk/2010/08/13/waledac_zombie_attacks_return/
Posted in Spam, 13 August 2010 - "Updated Update: Trend Labs has reclassified the malware as a Bredolab variant instead of Waledac. That means the central premise of out original story - that Waladec - is back from the grave - is wrong...
Attacks designed to draft new recruits into the infamous Waledac spambot network are back from the dead, months after the zombie network was effectively decapitated... The Microsoft-led operation was rightly hailed as a big success but did nothing to clean up an estimated 90,000 infected bot clients even though it stemmed the tide of spam from these machines. Left without spam templates or instructions, these machines have remained dormant for months. However, over recent weeks, the botnet is making a comeback of sorts. Spammed messages containing malicious attachment harbouring Waladec agents and disguised as tax invoices or job offers and the like have begun appearing, Trend Micro warns*. The same run of spam messages is also being used to spread fake anti-virus and other scams unrelated to Waledac, and there's no sign that a new command and control structure, much less a fresh round of spamming, has begun..."
* http://blog.trendmicro.com/waledac-still-spreading-via-malicious-attachments
UPDATE: Following deeper analysis of this threat by senior threat researchers, TrendLabs has reclassified the malware used in this attack as a BREDOLAB variant (detected as TROJ_BREDOLAB.JA) instead of WALEDAC. An unfortunate combination of human and machine errors led to the mislabeling of this threat as WALEDAC. Apologies for the confusion...
Aug. 12, 2010 - "... In the past few weeks, there has been something of an increase in the number of spammed messages delivering malicious attachments to users..."

:mad::fear::mad:
 
Last edited:
Pushdo botnet pushing SPAM w/malware

FYI...

Pushdo botnet pushing SPAM w/malware
- http://www.m86security.com/labs/i/Malicious-Spam-on-the-Increase,trace.1486~.asp
Last Reviewed: August 18, 2010 - "... We are currently seeing increased levels of spam-borne malware. Our figures over the last three months show an increasing trend in the proportion of malicious spam. In the week ending 8 August, this figure spiked to over 6% of spam, or in other words, 6 out of every 100 spam messages... The vast majority of it can be traced back to one spam botnet family – Pushdo (or Cutwail). This botnet is a prolific and multi-faceted spammer, and has historically been very active in malicious spam campaigns. Every day we observe it spamming out emails with malicious attachments, or, less often, with URL links to malicious web pages... The actual malware also changes often. Depending on the anti-virus vendor, many different names are assigned to these downloaders, including Bredolab, Oficla, and Sasfis to name just a few. In a sense, the name is unimportant. The job of the downloader is to reach out to the web to download and install more malware. Most commonly, we see fake AV, spambots and data stealers like Zbot being downloaded and installed in this second stage of infection... The gang behind Pushdo have this system down to a fine art. Our guess is that they are affiliated to one or more pay-per-install schemes, where they get rewarded for each successful install of the different types of malware they spread around."

(Screenshots and more detail available at the URL above.)

:mad::fear:
 
Pushdo Botnet crippled

FYI...

Pushdo Botnet crippled
- http://labs.m86security.com/2010/08/pushdo-spambot-crippled/
August 27, 2010 - "This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble... It turns out that the folks at TLLOD* have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog*, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data... this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about."
* http://blog.tllod.com/2010/08/26/insights-into-the-pushdocutwail-infrastructure/

Pushdo Spam volume graphic
- http://labs.m86security.com/wp-content/uploads/2010/08/pushdo_stats.png

Pushdo Botnet Crippled – II
- http://labs.m86security.com/2010/09/pushdo-botnet-crippled-ii/
September 9th, 2010

- http://www.m86security.com/labs/spam_statistics.asp
Statistics for Week ending September 12, 2010

:secret:
 
Last edited:
Waledac and Operation b49 update

FYI...

Waledac and Operation b49 update...
- http://blogs.technet.com/b/mmpc/archive/2010/09/08/an-update-on-operation-b49-and-waledac.aspx
8 Sep 2010 - "... Microsoft’s Digital Crimes Unit, in partnership with Microsoft’s Trustworthy Computing team and the Microsoft Malware Protection Center, undertook a combination of technical measures and previously untried legal techniques to disrupt and control the Waledac botnet. It was apparent from our own and from independent telemetry that the technical measures were successful, and today we are providing an update on the novel legal aspects of this approach. Our intent with this approach was to both disable the command and control infrastructure of the botnet so that new commands could not be issued to the computers which were still infected with the malware and to maintain that control in the long term while working within the law. To date, we have seen virtually no reemergence of Waledac traffic. This puts the Waledac takedown among a very few successful efforts to shut down a botnet without having it re-emerge... As you may have seen in USA Today* this morning, Judge Anderson has indicated that he recommends that the court grant our request and permanently transfer ownership of the 276 domains used for command and control of the Waledac botnet to Microsoft... Anyone who believes that they may be infected can find support and information and other resources (including no-cost tools to clean the computer) at http://support.microsoft.com/botnets ... Operation b49 is the first initiative in the larger Project MARS (Microsoft Active Response for Security)... more to come. You can read more about today’s news on the Official Microsoft Blog.**"
* http://www.usatoday.com/tech/news/2010-09-08-botnets08_ST_N.htm

** http://blogs.technet.com/b/microsof...p-waledac-undoing-the-damage-of-a-botnet.aspx

- http://support.microsoft.com/contactus/cu_sc_virsec_b49

:fear::fear:
 
Prolific DDoS Bot targeting many industries...

FYI...

Prolific DDoS Bot targeting many industries
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913
13 September 2010 - "... I've been watching a DDoS group that has been attacking a wide variety of victims in several different countries. This group uses the BlackEnergy botnet to carry out its attacks. The Command and Control servers are using the following domains:
* globdomain.ru
* greenter.ru ...
As of this post, globdomain.ru is on 194.28.112.134 and greenter.ru is on 194.28.112.135. While we don't wish to individually list all the DDoS victims, we do want to break it down by industry and country to give an idea of the breadth of the attacks. Since mid 2010, the DDoS attack victims were distributed among various industries including:
DDoS Industry Victims ...
DDoS Victim Countries ...
Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves."
(More detail at the Shadowserver URL above.)

- http://asert.arbornetworks.com/2010/09/critical-voices-ddosed-in-malaysia-and-elsewhere/
September 13th, 2010 - "... Black Energy botnets..."

:fear::mad::fear:
 
Last edited:
SpyEye botnet kit...

FYI...

SpyEye botnet kit...
- http://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/
September 17, 2010 - "Miscreants who control large groupings of hacked PCs or “botnets” are always looking for ways to better monetize their crime machines, and competition among rival bot developers is leading to devious innovations. The SpyEye botnet kit, for example, now not only allows botnet owners to automate the extraction of credit card and other financial data from infected systems, but it also can be configured to use those credentials to gin up bogus sales at online stores set up by the botmaster... All of the other software sales and distribution systems coded into the SpyEye bot kit are entities operated by Digital River..."

:fear::mad:
 
Botnet and Zeus activities - reduced

FYI...

Botnet and Zeus activities - reduced
- http://hostexploit.com/blog/4-curre...edia-sees-off-botnet-and-zeus-activities.html
19 September 2010 - "... adverse publicity that followed HostExploit’s report naming Demand Media as #1 ‘Bad Host’ in the world. Swift action appears to have been taken as eNom - Demand Media’s domain Registrar arm - has shown signs of a dramatic reduction in the number of malicious activities hosted. HostExploit is pleased to report that in the past 7 days, well-known botnet command & control (C&C) servers present on eNom-hosted sites have finally been taken offline... We have been monitoring closely the past few weeks for signs of improvement in eNom’s hosting via our malicious host activity tracking tool, SiteVet, which quantifies badness levels into a "HE Index". We began to see signs of some malicious activity dropping off... In particular, C&Cs for the popular Zeus botnet fell to zero... having been as high as 23 in the preceding weeks... FIRE also shows a drop in C&Cs at around the same time..."

- http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
Sep. 22, 2010
- http://blog.trendmicro.com/new-azvhan-bot-family-revealed/
Sep. 24, 2010

:mad:
 
Over 2 million botnet U.S. PCs cleaned...

FYI...

Over 2 million botnet U.S. PCs cleaned ...
- http://news.cnet.com/8301-1009_3-20019602-83.html
October 14, 2010 - "More than 2 million PCs in the U.S., or 5.2 out of every 1,000, were recruited into botnets during the second quarter of 2010, according to a Microsoft report... The company's ninth and latest Security Intelligence Report* tracked the spread of botnets and malware infections detected and removed throughout the world during the first and second quarters of the year. The sheer number of infected PCs found and cleaned up by Microsoft (via MSRT) in the U.S. in the second quarter was the highest in the world. But the percentage of infected PCs was greater elsewhere... Among the botnets that plagued computer users during the second quarter, Win32/Rimecud was the most active, with almost 70 percent more detections than the next most common family of botnets. Rimecud was the main malware family responsible for the Mariposa botnet..."
* http://www.microsoft.com/security/sir/default.aspx

Chart:
> http://www.microsoft.com/security/assets/images/_security/sir/story/fig_14.jpg

:fear::mad:
 
Last edited:
You must log in or register to reply here.
Back
Top