Pandemic of the botnets 2012 ...

Flashback botnet checker...

FYI...

Flashback botnet checker ...
- http://atlas.arbor.net/briefs/index#-1335098248
April 09, 2012 - "This resource allows a manual pasting of a OSX systems unique identifier into a form that will show if that machine is part of the Flashback botnet.
Analysis: This tool is provided by Dr. Web who first published details on the OSX Flashback infections. It does not scale well but allows for manual checking and can be helpful for end users."
Source: http://public.dev.drweb.com/april/
"Dear Mac OS user..."

- http://atlas.arbor.net/briefs/index#-824346427
April 09, 2012
___

Symantec OSX.Flashback.K Removal Tool
- http://www.symantec.com/security_response/writeup.jsp?docid=2012-041214-1825-99
April 12, 2012

F-secure Flashback Removal Tool
- http://www.f-secure.com/weblog/archives/FlashbackRemoval.zip
"... tool linked above has been updated April 12th..."

Infection by OSX version - chart
- https://www.f-secure.com/weblog/archives/ChitikaMacOSXVerions.png

> http://forums.spybot.info/showpost.php?p=424413&postcount=44
April 12, 2012

:spider:
 
Last edited:
Google: infected users affected by the DNSChanger malware ...

FYI...

Google: infected users affected by the DNSChanger malware
- http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dnschanger.html
May 22, 2012 - "Starting today we’re undertaking an effort to notify roughly half a million people whose computers or home routers are infected with a well-publicized form of malware known as DNSChanger. After successfully alerting a million users last summer to a different type of malware, we’ve replicated this method and have started showing warnings via a special message* that will appear at the top of the Google search results page for users with affected devices...
* http://4.bp.blogspot.com/-EY9pz56oz...AACHQ/aJ5P94lR3eo/s500/DNSChanger+warning.png
... Our goal with this notification is to raise awareness of DNSChanger among affected users. We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results. While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices. We also can’t guarantee that our recommendations will always clean infected devices completely, so some users may need to seek additional help. These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."
___

DNS Changer Eye Chart:
>> http://www.dcwg.org/detect/

:fear:
 
Zbot relentless - Anti-emulations ...

FYI...

Zbot relentless - Anti-emulations
- http://www.symantec.com/connect/blogs/relentless-zbot-and-anti-emulations
July 3, 2012 - "A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed — with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection... The effort that has been made by the Trojan.Zbot malware writers is not limited to one, or even a couple of techniques. In most malware variants there are many simple or complicated techniques to help avoid detection... These techniques are part of ever-evolving malware techniques, especially from professional malware writers who invest a large amount of time researching new techniques to -evade- antivirus detection..."

Botnet infections in the enterprise
- http://atlas.arbor.net/briefs/index#730205984
July 03, 2012
The scope and costs of botnet infections require a change in tactics.
Analysis: While automation is critical, automated security systems such as IDS's, firewalls, vulnerability scanning solutions, etc. are -not- a fool-proof solution and must be augmented and run by skilled practitioners. Attackers know how to bypass many security systems, and without skilled practitioners in the loop, this trend will continue...

:sad: :mad:
 
Last edited:
DNSchanger shutdown ...

FYI...

DNSchanger shutdown ...
- http://www.theregister.co.uk/2012/07/05/dnschanger_botnet_shutdown/
5 July 2012 - "An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday...
DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines. Shutting it down, however, will leave computers unable to access websites and email properly without a fix being applied. The FBI had been due to shut down DNSChanger in March, but left it up for an extra three months to allow more time for users to disinfect their systems. Companies and governments have made a big effort to clean systems with the help of the DNS Changer Working Group (DCWG)*, which was set up by security experts to manage the problems. But according to the latest DCWG data, there are still 303,867 infected systems out there..."

* http://www.dcwg.org/detect/
"... quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections..."

:fear: :sad:
 
Grum botnet takedown

FYI...

Grum botnet takedown ...
- http://blog.fireeye.com/research/2012/07/grum-botnet-no-longer-safe-havens.html
2012.07.18 - "... the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned... According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well..."

- http://h-online.com/-1647692
19 July 2012 - "... The botnet is believed to have been responsible for as much as 18% of total global spam, which amounts to approximately 18 billion messages a day..."

Spam Stats
- https://www.trustwave.com/support/labs/spam_statistics.asp
Week ending July 22, 2012

:fear: :spider:
 
Last edited:
APTs more prolific ...

FYI...

APTs more prolific ...
- http://www.darkreading.com/taxonomy/index/printarticle/id/240004827
Aug 02, 2012 - "... cyberespionage malware and activity is far more prolific than imagined: (Joe Stewart - Dell Secureworks) has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing... Stewart also unearthed a private security firm located in Asia - not in China - that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's "friendly" with the U.S... Stewart plans to continue hunting down APT attackers... The full report is here*."
* http://www.secureworks.com/research/threats/chasing_apt/
23 July 2012 - "... tracking numerous digital elements involved in cyber-espionage activity:
• More than 200 unique families of -custom- malware used in cyber-espionage campaigns.
• More than 1,100 domain names registered by cyber-espionage actors for use in hosting malware C2s or spearphishing.
• Nearly 20,000 subdomains of the 1,100 domains (plus a significant number of dynamic DNS domains) are used for malware C2 resolution.
This quantity of elements rivals many large conventional cybercrime operations. However, unlike the largest cybercrime networks that can contain millions of infected computers in a single botnet, cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets, each of which may only control a few to a few hundred computers at a time. Therefore, each time an "APT botnet" is discovered, it tends to look like a fairly small-scale operation. But this illusion belies the fact that for every APT botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks..."
(More detail at the Secureworks URL above.)

:fear: :mad: :fear:
 
Godaddy DDoS attack in progress

FYI...

Godaddy DDoS attack in progress
- https://isc.sans.edu/diary.html?storyid=14062
Last Updated: 2012-09-10 21:39:54 UTC ...(Version: 2)
Update: GoDaddy appears to make some progress getting services back online. The web site is responding again. DNS queries appear to be still timing out and logins into the site fail. (17:30 ET) GoDaddy is currently experiencing a massive DDoS attack. "Anonymous" was quick to claim responsibility, but at this point, there has been no confirmation from GoDaddy. GoDaddy only stated via twitter: "Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it." The outage appears to affect the entire range of GoDaddy hosted services, including DNS*, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy)..."

* Alternate DNS: http://208.69.38.205/

:mad:
 
GoDaddy's network status ...

GoDaddy's network status:
- http://support.godaddy.com/system-alerts/

"Recently Resolved Issues
Resolved September 10, 2012 at 6:41 PM
... Known Issues
Updated:
06:22 MST
No issues to report"
___

- https://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410
"... We have determined the service outage was due to a series of internal network events that corrupted router data tables... We have implemented measures to prevent this from occurring again. At no time was any customer data at risk or were any of our systems compromised...
- Scott Wagner Go Daddy CEO"

.
 
Last edited:
Nitol botnet takedown

FYI...

Nitol botnet takedown
- https://blogs.technet.com/b/microso...an-unsecure-supply-chain.aspx?Redirected=true
13 Sep 2012 - "... the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed “Operation b70,” this legal action and technical disruption proceeded from a Microsoft study which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet... On Sept. 10, the court granted Microsoft’s request for an ex parte temporary restraining order against Peng Yong, his company and other John Does. The order allows Microsoft to host the 3322 .org domain, which hosted the Nitol botnet, through Microsoft’s newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322 .org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption. This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322 .org domain, and will help rescue people’s computers from the control of this malware... Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware; today’s action is a step toward preventing that... If you believe your computer might be infected with malware, we encourage you to visit http://support.microsoft.com/botnets as this site offers free information and tools to analyze and clean your computer..."

- https://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/
Sep 19, 2012 - "... Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home to those 70,000 malicious domains... graphic* provided by Microsoft..."
* https://krebsonsecurity.com/wp-content/uploads/2012/09/mal3322.png
___

- https://blog.damballa.com/archives/1806
Sep 13, 2012 - "... Nitol... employs multiple domains from several free dynamic DNS providers, including -other- four-digit .ORG domain services such as 6600 .org, 7766 .org, 2288 .org and 8866 .org..."

(Highly recommend blocking those addresses also, if you haven't already.)

:eek::fear::mad:
 
Last edited:
ZeroAccess botnet ...

FYI...

ZeroAccess botnet ...
- http://www.f-secure.com/weblog/archives/00002430.html
Sep 20, 2012 - "... ZeroAccess is a very large botnet and there are millions of infections globally. Here's the USA:
> http://www.f-secure.com/weblog/archives/ZeroAccessGoogleEarthUSA756x464.png
... Here's Europe:
> http://www.f-secure.com/weblog/archives/ZeroAccessGoogleEarthEurope756x464.png ..."

- http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/
Sep 19, 2012 - "... ZeroAccess* uses a peer-to-peer network to download plugin files which carry out various tasks designed to generate revenue for the botnet owners. Our researchers monitored this network for a period of two months to discover where in the world the peers were located and what kind of files the botnet was being instructed to download. We found the IP addresses of infected machines from a total of 198 countries... Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining..."
* https://sophosnews.files.wordpress.com/2012/09/image001.jpg?w=640

- https://isc.sans.edu/diary.html?storyid=12079
Last Updated: 2011-11-22 - "... The following tools were tested and worked quite fine against ZeroAccess. Kaspersky TDSSKiller has a good feature to offer a quarantine option if you want.
Kaspersky: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
WebRoot: http://anywhere.webrootcloudav.com/antizeroaccess.exe
McAfee: http://vil.nai.com/images/562354_4.zip
Ah yes, remember that it will be cleaning one trojan, and that you still have at least a ZeuS running on the system..."

:sad: :mad:
 
New DIY DDoS-bot spotted in-the-wild

FYI...

New Russian DIY DDoS-bot spotted in-the-wild
- http://blog.webroot.com/2012/09/28/new-russian-diy-ddos-bot-spotted-in-the-wild/
Sep 28, 2012 - "... a recently released DIY DDoS bot, which according to its author is a modification of the Dirt Jumper DDoS bot*.
More details:
Sample screenshot of the command and control interface of the Russian DIY DDoS Bot:
> https://webrootblog.files.wordpress.com/2012/09/diy_russian_ddos_bot_01.png
... The bot supports SYN flooding, HTTP flooding, POST flooding and the special Anti-DDoS protection type of flooding. It has also built-in anti-antivirus features allowing it avoid detection by popular host-based firewalls, next to a feature allowing it to detect and remove competing malware bots from the system, preserving its current state for the users of the bot. Moreover, according to its author, it will not work under a virtual machine preventing potential analysis of the malicious binaries conducted by a malware researcher. Another interesting feature is the randomization of the HTTP requests using multiple user-agents in an attempt to trick anti-DDoS protection on the affected hosts. Apparently, the coder behind this malware bot, claims to have the source code of the Dirt Jumper DDoS kit, which we cannot verify for the time being given the fact that the source code for this bot isn’t currently circulating in the wild, and that there are zero advertisements within the cybercrime ecosystem offering to sell access to it..."
* http://ddos.arbornetworks.com/2012/05/dirt-jumper-ddos-bot-increasingly-popular/

:mad: :fear:
 
Last edited:
Botmasters recruited for attack on Banks ...

FYI...

Botmasters recruited for attack on Banks ...
- http://blogs.rsa.com/rsafarl/cyber-...ive-wave-of-trojan-attacks-against-u-s-banks/
Oct 4, 2012 - "... a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date. By analyzing the details of the gang’s announcement, RSA has managed to link the cybergang’s weapon of choice to a little-known, proprietary Gozi-like Trojan, which RSA has dubbed “Gozi Prinimalka”... According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios. Previous incidents involving this Trojan, handled by RSA and other information security vendors, appear to corroborate the gang’s claims that since 2008 their Trojan has been at the source of siphoning US$5 Million from American bank accounts. Gozi Prinimalka’s similarity to the Gozi Trojan, both in technical terms and its operational aspects, suggests that the HangUp Team — a group that was previously known to launch Gozi infection campaigns — or a group closely affiliated with it, may be the troupe behind this ambitious scheme. If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two... This cyber intelligence notice is based upon ongoing research and analysis by the RSA FraudAction research team. As part of our ongoing cooperation with the security community, RSA has shared details of this information with U.S. law enforcement as well as with its RSA FraudAction Global Blocking Network partners and security teams from the partially known list of potential target U.S. banks. Still, it’s important to note that cyber criminals often make claims they do not necessarily act upon... Security teams should consider the potential urgency and applicability of this intelligence within their specific organization’s threat matrix and risk profile."
___

Akami attack monitor:
- http://www.akamai.com/html/technology/dataviz1.html
Oct 6, 2012 15:07 ET
50.5% above normal...
___

Automated Toolkits named in massive DDoS attacks against U.S. Banks
- https://threatpost.com/en_us/blogs/...-massive-ddos-attacks-against-us-banks-100212
Oct 2, 2012

- http://atlas.arbor.net/briefs/index#-1177347673
Severity: High Severity
Oct 01, 2012
Heavy DDoS attack on banks have taken place. Attribution is uncertain.
Analysis: The attackers used a PHP-based botnet for most of the attacks. The attacks were typically sourced from compromised web applications running vulnerable PHP code. The attackers typically upload a "web shell" to such a vulnerable site and then are able to upload, download and perform other operations on the system. Since such server systems typically have more bandwidth than the usual malware target (a Windows system on a broadband line) the attackers are able to increase their attack volume a great deal more quickly than through the use of windows malware.
Source: http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html

:mad:
 
Last edited:
ZeroAccess P2P - not C&C ...

FYI...

ZeroAccess P2P - not C&C
- http://blog.trendmicro.com/trendlabs-security-intelligence/under-the-hood-of-bkdr_zaccess/
Nov 6, 2012 - "... ZACCESS, which is also known as ZeroAccess or SIREFEF. It can push fake applications and other malware onto infected systems, while using its rootkit capabilities to hide from detection. The table below shows Japan places 2nd in terms of infection ranking, followed by US. In fact, Japan Regional TrendLabs received a lot of queries from our customers, which also triggered our in-depth analysis.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/zaccess-chart.png
Backdoors typically establish each session by connecting from affected PCs to command-and-control (C&C) servers in order to receive commands from attackers. However, it’s not the case that a corresponding session is established from the C&C servers to affected PCs. Based on our analysis of BKDR_ZACCESS, it establishes bidirectional connections with other infected machines using its P2P functionality. This helps reduce the load on its C&C servers, as well as making the network more robust against a potential takedown of its C&C servers. This allows it to send and receive commands between affected PCs and not using any C&C servers.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/ZACCESSp2p.jpg
Because of this, BKDR_ZACCESS can both be a “client” and a “server”. When a PC affected by BKDR_ZACCESS functions as server, it sends commands or other malware as if it was a C&C server. On the other hand, it functions as a client, it connects to IP addresses of affected PCs in its configuration file and update the file. It can then attempt to download and execute other malware. Thus, once infected by BKDR_ZACCESS, affected users can spread infections to other affected PCs. At the same time, they are affected by this malware as a victim... there were a total of almost 35 million active connections between the servers and affected PCs... Some variants of ZACCESS can send spam mails. It is possible that this number is in some underground markets related to cybercrime. In addition, the attackers can use this number to gauge which tactics are successful in infecting users..."

:fear::mad:
 
Botnet hidden in Tor network

FYI...

Botnet hidden in the Tor network
- http://h-online.com/-1765530
10 Dec 2012 - "The Security Street blog* has found a botnet client, the operator of which is hiding behind the Tor network. This trick makes the work of security experts and criminal prosecutors much more difficult. The malicious botnet software, called "Skynet", is a trojan that Security Street found on Usenet. At 15MB, the malware is relatively large and, besides junk files intended to cover up the actual purpose of the download file, includes four different components: a conventional Zeus bot, the Tor client for Windows, the CGMiner bitcoin tool and a copy of OpenCL.dll, which CGMiner needs to crack CPU and GPU hashes..."
(More detail at the h-online URL above.)

* https://community.rapid7.com/commun...net-a-tor-powered-botnet-straight-from-reddit

:mad:
 
Spambot Kelihos update ...

FYI...

Spambot Kelihos update ...
- https://www.abuse.ch/?p=4878
Dec 10, 2012 - "... a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012. Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009...
Infecting removable drives: ... Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10...
Switching from .eu to .ru: Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru...
The rise of Kelihos: If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day. But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate...
So what can a network administrator do to mitigate this threat?
• Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
• Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
• Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
• Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
• Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ* ..."
* http://www.isc.org/community/blog/201007/taking-back-dns-0

:fear: :mad:
 
Butterfly botnet takedown

FYI...

Butterfly botnet takedown
- https://www.fbi.gov/news/pressrel/p...-cyber-crime-ring-related-to-butterfly-botnet
Dec 11, 2012 - "The Department of Justice and the FBI, along with international law enforcement partners, announced the arrests of 10 individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States and the execution of numerous search warrants and interviews. The operation identified international cyber crime rings that are linked to multiple variants of the Yahos malicious software, or malware, which is linked to more than 11 million compromised computer systems and over $850 million in losses via the Butterfly Botnet, which steals computer users’ credit card, bank account, and other personal identifiable information... Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware..."
___

- http://h-online.com/-1768325
13 Dec 2012

:mad: :mad:
 
Last edited:
Feds convict stock Scammers... overlook Spammers

FYI...

Feds convict Stock Scammers ...
- https://krebsonsecurity.com/2012/12/feds-convict-stock-scammers-overlook-spammers/
Dec 13, 2012 - "On Wednesday, the U.S. Justice Department announced that it had obtained convictions against a cybercrime gang that committed securities fraud through the use of botnets and spam. Oddly enough, none of the botmasters or spammers who assisted in the scheme were brought to justice or identified beyond their hacker handles... The defendants who pleaded or were found guilty in this case were convicted of orchestrating “pump-and-dump” stock scams. These are schemes in which fraudsters buy up low-priced stock, blast out millions of spam e-mails touting the stock as a hot buy and then dump their shares as soon as the share price ticks up from all of the spam respondents buying into the scam. A press release from the U.S. Attorney for the District of New Jersey* noted that ringleader of the scam, 44-year-old Christopher Rad, of Cedar Park, Texas, communicated with the spammers via Skype, addressing them by their hacker aliases, such as 'breg', 'ega', 'billybob6001' and 'be3ez12'... It’s not clear yet what botnet or other method Rahul/be3ez12 used to blast out his spam during the time he allegedly aided in these stock scams..."
* http://www.justice.gov/usao/nj/Press/files/Rad, Christopher Verdict PR.html
"... conspiracy to commit securities fraud..."
 
'Droid botnet discovered across all major networks

FYI...

Android botnet discovered across all major networks
- http://bgr.com/2012/12/18/android-spam-botnet-257993/
Dec 18, 2012 - "A new Android spam botnet has been discovered across all major networks that sends thousands of text messages -without- a user’s permission, TheNextWeb reported. The threat, which is known at SpamSoldier, was detected on December 3rd by Lookout Security* in cooperation with an unnamed carrier partner. The malware is said to spread through a collection of infected phones that send text messages, which usually advertise free versions of popular paid games like Grand Theft Auto and Angry Birds Space, to hundreds of users each day. Once a user clicks on the link to download the game, his or her phone instead downloads the malicious app. When the app is downloaded, SpamSoilder removes its icon from the app drawer, installs a free version of the game in question and immediately starts sending spam messages. The security firm notes that the threat isn’t widespread, however it has been spotted on all major carriers in the U.S. and has potential to do serious damage..."
* https://blog.lookout.com/blog/2012/12/17/security-alert-spamsoldier/
"... Consistent with CloudMark’s analysis**, we’ve seen a number of different spam campaigns active..."
** http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/
"... The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games:
> http://blog.cloudmark.com/wp-content/uploads/2012/12/Screen-Shot-2012-12-12-at-3.39.41-PM.png
... you have to jump through some hoops to install an Android app from a random web site rather than Google Play...
> http://blog.cloudmark.com/wp-content/uploads/2012/12/Screen-Shot-2012-12-12-at-3.15.15-PM.png
...Don’t do this..."
___

- http://h-online.com/-1772079
19 Dec 2012

:mad::fear::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top