FYI...

Third party information on Conficker
- http://isc.sans.org/diary.html?storyid=5860
Last Updated: 2009-04-11 18:15:39 UTC ...(Version: 9) <<<
(See "Removal Tools")



This post has been edited by AplusWebMaster: Apr 22 2009, 10:53 AM

FYI... a few updates on Conficker. Currently, some AV's are "Scanning for 1,328,914 virus strains and unwanted programs...". Conficker is just a few of them.

- http://www.secureworks.com/research/blog/i...ril-fools-hype/
March 27, 2009 - "... If you’re reading this, you’re probably not infected with Conficker.C. If you were already infected, you wouldn’t be able to access any page on secureworks.com, due to the worm author’s apparent dislike for the removal instructions we posted for earlier Conficker variants..."

- http://blogs.technet.com/msrc/archive/2009...onficker-d.aspx
March 27, 2009

- http://www.f-secure.com/weblog/archives/00001636.html
March 26, 2009

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infec...cfeyechart.html
04.01.2009 - (See: "Explanation" at bottom of page there)



This post has been edited by AplusWebMaster: Apr 16 2009, 06:08 AM

FYI...

New Waledac variant in the wild
- http://securitylabs.websense.com/content/Alerts/3343.aspx
04.16.2009 - " Websense... has detected a new Waledac variant in the wild being distributed via email since yesterday. The new campaign uses a theme whereby the user is enticed to download an application that will permit them to view other people's SMS messages online. The download file uses alternating filenames, including sms.exe, freetrial.exe, and smstrap.exe. ThreatSeeker has identified thousands of spam emails using this theme. Not all major antivirus vendors are currently detecting this threat..."

Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
- http://www.shadowserver.org/wiki/pmwiki.ph...lendar/20090416
16 April 2009

- http://blog.trendmicro.com/new-waledac-cam...oping-software/
Apr. 16, 2009

- http://www.f-secure.com/weblog/archives/00001658.html
April 16, 2009

(Screenshots available at all URLs above.)

Fake SMS Reader Spam in Russian Language: Malicious Web Site / Malicious Code
- http://securitylabs.websense.com/content/Alerts/3344.aspx
04.16.2009

- http://blog.trendmicro.com/online-casino-g...es-and-waledac/
Apr. 15, 2009 - "... Waledac updated its spam emails and is now spamming online casino advertisements..."
(Screenshots available at the TrendMicro URL above.)



This post has been edited by AplusWebMaster: Apr 17 2009, 11:15 AM

FYI...

WALEDAC’s latest Spamming fetish
- http://blog.trendmicro.com/waledac%E2%80%9...pamming-fetish/
Apr. 21, 2009 - "WALEDAC has found a new fetish — spamming users with email messages on free foot fetish movies... clicking the link in the spammed email redirects users to websites featuring foot fetish videos. WALEDAC is notorious for employing various social engineering techniques that leads users to a series of malware infections. This being the third of the recent WALEDAC spam runs we’ve seen, its quite safe to assume we’ll be seeing more of this runs in the near future."
(Screenshots available at the URL above.)

- http://www.shadowserver.org/wiki/pmwiki.ph...lendar/20090421
21 April 2009

FYI...

New botnet found - 1.9M bots
- http://www.finjan.com/MCRCblog.aspx?EntryId=2237
Apr 22, 2009 - "... recent discovery of a network of 1.9 million infected computers controlled by cybercriminals... We found that the botnet’s command and control server is hosted in Ukraine. As folders on this server were left open, we were able to get more information for our research. The server has a nice backend management application making it easy for the attackers to manage the infected machines. One of the management console features that we identified is a Command Editing panel through which instructions are sent to the infected machines (bots). We have seen commands asking the bots to download and execute additional malware, download settings files, apply update files etc... This command instructs the bot on the infected computers to download and execute a Trojan horse... only 4 out of 39 Anti-Virus products detected this Trojan... The description field of this command led us to a hacker’s forum in Russia with a post requesting to trade in infected computers... (Another) command instructs the infected machines to download and execute a Trojan horse that later installs a group of other malicious executables without the user’s consent... Overall, the cybergang can remotely execute anything it likes on the infected computers. The log file on the server disclosed the IP addresses of the infected computers and their names in the network..."

(Screenshots available at the URL above.)

FYI...

Gov systems found on 1.9m zombie botnet
- http://www.theregister.co.uk/2009/04/22/superbotnet_server/
22 April 2009 - "... cybercrooks collectively compromised computers in 77 government-owned domains (.gov) from the UK, US and various other countries. The malware that featured in the attack allowed hackers complete control of compromised PCs, nearly all of which were running Windows XP. A variety of malicious actions, from reading emails to copying files, keystroke logging, and spam distribution were all possible. Since discovering the botnet, Finjan has supplied information to the server to UK and US law enforcement agencies. The command server is now out of commission. Finjan has informed affected corporate and government agencies about infected computer names, in a move that will hopefully result in a clean-up operation..."

FYI...

Tracking Spam Botnets...
- http://www.marshal8e6.com/trace/bot_statistics.asp
April 12, 2009 - "...spamming botnets are constantly in flux. Botnets morph, become obsolete, replaced, taken down, and upgraded. One thing is clear, a mere handful of botnets are responsible for the bulk of all spam sent. This page pulls together some of the results of our latest research, highlighting details about some of the most notorious spamming botnets..."
(Graphs and more detail available at the Marshal URL above.)

- http://www.theregister.co.uk/2009/04/23/botnet_speed_test/
23 April 2009 - "... Xarvester and Rustock threw off the most junk mail, 25K messages an hour or the equivalent of 600K spams a day. The data on spam rates was harvested from a wider research project into botnets run by Marshal8e6 over the last two years..."

FYI...

Botnet probe turns up 70GB of personal, financial data
- http://preview.tinyurl.com/cmzd68
May 4, 2009 (Computerworld) - "...it steals personal and financial data. The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as e-mail passwords and online banking credentials. The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions... Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers. The researchers stored the data and are working with law enforcement agencies such as the U.S. Federal Bureau of Investigation, ISPs and even the U.S. Department of Defense to notify victims... Torpig/Sinowal can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers. Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack... The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007. Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted. Mebroot can also download other code to the computer. Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said*. If a person goes to a banking Web site, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.... Web sites using SSL (Secure Sockets Layer) encryption are -not- safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted..."
* http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html

FYI...

McAfee: 12M added to botnets Q1-2009
- http://newsroom.mcafee.com/article_display...article_id=3515
May 05, 2009 - "... cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008... Cybercriminals are building an army of infected, “zombie” computers to recover from last November’s takedown of a central spam-hosting ISP...
Other Key Findings:
• The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone
• Servers hosting legitimate content have increased in popularity with malware writers to distribute malicious and illegal content
• Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their location
• Compared to the overall landscape, the Conficker worm represents a small subset of all threat reports. Autorun malware, a vector used by certain Conficker variants, represented only 10% of all detections reported during the first quarter.
To view the full report, please visit: http://www.mcafee.com/threatsreport ."

FYI...

Botnet self-destructs - "Zeus" command
- http://voices.washingtonpost.com/securityf...nuclear_op.html
May 7, 2009 - "... Hüssy oversees Zeustracker*, a Web site listing Internet servers that uses Zeus**, a kit sold for about $700 on shadowy cyber criminal forums to harvest data from computers infected with a password stealing Trojan horse program. One of Zeus's distinguishing features is a tool that helps each installation on a victim PC look radically different from the next as a means to evade detection by anti-virus tools. According to Hüssy, among Zeus's many features is the "kos" option, which stands for "kill operating system"... In early April, Hüssy began tracking a Zeus control server used to receive data stolen from a botnet of more than 100,000 infected systems, mostly located in Poland and Spain. While investigating this newfound Zeus control server, he noticed something unusual: the "kill operating system" had just been issued to all 100,000 infected systems. Hüssy said he has no idea why the botnet was destroyed... Currently, about one-third of the sites listed at Zeustracker are hacked or free Web services..."
* https://zeustracker.abuse.ch/monitor.php?filter=online
** http://rsa.com/blog/blog_entry.aspx?id=1274

FYI...

Pirated Windows 7 comes with trojan - botnet
- http://www.darkreading.com/shared/printabl...cleID=217400548
May 12, 2009 - "A pirated version of the new Windows 7 operating system release candidate that has been circulating around the Internet is also building out a botnet. The rogue OS, which is rigged with a Trojan downloader*, at one point had around 27,000 bots in its control as of May 10, when researchers took over the command and control server that communicated with the bots and served them additonal malware. At the height of the botnet buildup, the botmaster was recruiting over 200 machines an hour... Damballa researchers on Sunday grabbed control of the C&C domain, but they say this is likely just one of many versions of rogue Windows 7 OS... Damballa's Cox says most traditional antivirus software is unable to detect the pirated Windows 7 Trojan because the OS itself is infected and most AV solutions don't yet support Windows 7..."
* http://blog.trendmicro.com/cybercriminals-...d-windows-7-rc/

FYI...

- http://blog.trendmicro.com/pushdocutwail-%...rt-of-spamming/
May 12, 2009 - "... One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide... One of the latest batches contains an executable which displayed popup ads to the user, most probably from an advertiser who paid good money for the mass-deployment of their software. The only component that is always present is the spamming engine, which some antivirus vendors have dubbed as Cutwail..."

- http://blog.trendmicro.com/pushdocutwail-%...ve-part-2-of-5/
May 13, 2009 - "... The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area. Like other spam botnets Pushdo’s spamming component, known as Cutwail, sends spam in waves, each advertising a particular service. Normally these consist of porn, pharmacy spam etc – but it was when we started to see ads for Salsa classes and Construction services that we became really interested... As part of our research we contacted the gang on one of the numbers they provided, posing as a potential customer of their spamming services. As customer service satisfaction goes these guys were very helpful, providing us with bank account details that we could pay them through, and even offering to pick up the money in person if we were based in Moscow. On top of that they would throw in a free website design to promote our business, and offered to craft their “advertising mail services” (that’s unsolicited spam to you and me) to best avoid anti-spam signatures..."

(Screenshots available at both URLs above.)

FYI...

- http://www.secureworks.com/research/blog/i...e-trojan-trail/
May 12, 2009 - "... The "Finjan botnet" appears to be large... credit to FireEye for trying to track down the Finjan Botnet that Finjan first reported on. Reading through the Finjan and FireEye write-ups, one is able to reconstruct the trail and also discover the path taken. We can see two major types of Trojans that play a part in this. We have the VBInject Trojan and the AutoIt Trojan... There are two servers on the same network to which -VBInject- phones home: x.x.62.2 and x.x.21.186. The server at x.x.21.186 is no longer responsive and appears down at this time. The server at x.x.62.2 is still up and DNS still responds with that IP address for the domain name used in these attacks. If you actually try to browse to that domain though, you will not arrive at this server. As you can see from reading the FireEye article, the Trojan phones home to /ldr/loadlist.php. It downloads more malware from /ldr/dl/. One of the Trojans it downloads is -AutoIt-... This is the AutoIt Trojan phoning home and the response is to download around 15 pieces of malware...
As you can see by following the trail, gone are the days where you have just one Trojan infection. When you become infected today, it is best to just do a complete reformat of your machine instead of trying to recover it, because you really don’t know how many infections you have. I have read plenty of articles where someone cleans their machine and they think everything is fine only to find more malware days to weeks later.
There is not any perfect AV tool; there is no perfect solution for any one problem. Your best defense is to practice what is called defense in depth and to only go to known websites. Don’t open mail from people you don’t know and be careful opening attachments from people that you do know. Update your OS and software regularly, including AV. Just having AV does not mean that you are protected; you also have to keep it updated."
• FireEye Blog - http://blog.fireeye.com/research/2009/04/b...eb-part-ii.html
• Finjan article - http://www.finjan.com/MCRCblog.aspx?EntryId=2237
• Prevx shows ZCHMIB.EXE - http://www.prevx.com/filenames/15216412687...ZCHMIB.EXE.html
• ThreatExpert shows TDSS/Seneka activity - http://www.threatexpert.com/report.aspx?md...3e7dc62554318ac

(More detail and screenshots available at the Secureworks URL above.)

// http://forums.whatthetech.com/Pandemic_bot...st&p=551781

FYI...

Conficker continues to spread
- http://viewfromthebunker.com/2009/05/20/co...nues-to-spread/
May 20, 2009 - "... the Symantec threat intelligence team estimates there are 50,000 newly infected PCs a day right now... the US, Brazil and India top the charts."

(Chart available at the URL above.)

- http://isc.sans.org/diary.html?storyid=5860

FYI...

Golden Cash botnet
- http://www.finjan.com/MCRCblog.aspx?EntryId=2281
June 17, 2009 - "... A user visits a legitimate compromised website which contains malicious Iframe. This Iframe causes the victim’s browser to pull the exploit code from a server armed with the exploit toolkit. Upon successful exploitation, a special build of a Trojan, created for the attacker, is being pulled from Golden Cash server. Once installed, the Trojan reports back to the Golden Cash server and the attacker’s account at Golden Cash is credited with currency. The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP-grabber (to steal FTP-credentials). Our research found about 100,000 stolen FTP-credentials on the Golden Cash server. The victim’s machine is now in a pool of infected machines controlled by Golden Cash and being auctioned to other criminals, using a different website for buyers. From time to time, the victim’s machine gets instructions to install malware on behalf of the criminal-customer. The Trojan on the victim machine reports back to Golden Cash on each successful installation of the customer’s malware and the criminal-customer account is charged with currency. The victim machine is back in the ‘available for more infections’ pool.... the botnet spreads using distributors. For each distributor, a special bot build is created. The special build assists the cybercriminal to track the installations of each distributor... Some of the stolen FTP-credentials were used to inject malicious Iframe to the webpages that were stored on the FTP server. The reason for this was to infect more machines and generate organic growth. The C&C server is hosted in Texas, US; the registrant country is China. The “proxy’ website that tunnels traffic to the C&C server is hosted in Krasnodar, Russia."

(Screenshots available at the URL above.)