FYI...

SPAM - from Waledac...
- http://www.eset.com/threat-center/blog/?p=1285
July 7, 2009 - "... After 4th July, we have noticed an increase in the number of emails in circulation, and this week will be even more active. We believe that, like other campaigns, this one will last at least 15 days. However, what many readers may be wondering is why Waledac was “asleep” so many months. The reality is that the Trojan wasn’t spreading at that point. However, the botnet that was built with Waledac, remained as active as ever; working mainly to achieve their most important goal: to send spam. At ESET Latinamerica’s Laboratory, we made some tests to enable us to share information with users that shows the importance of staying uninfected: if my computer is infected with Waledac, how much spam does it send? We infected a computer in the laboratory with one of the Waledac trojans...
After that, we used a tool to monitor network traffic to see how many emails were sent by the botnet, since the system became infected . We made an initial measurement in 4 stages over a period of one hour (at different times of day), and the results were as follows:
• Stage 1: between 18:00 and 19:00 hs. 6968 emails were sent
• Stage 2: between 20:30 and 21:30 hs. 7148 emails were sent
• Stage 3: between 10:00 and 11:00 hs. 5610 emails were sent
• Stage 4: Between 13:00 and 14:00 hs. 6568 emails were sent
Taking the average of emails sent per hour (6548 emails), it is estimated that an infected computer can send about 150,000 emails a day. To be even clearer, that represents nearly two emails per second... If we consider that the network is estimated to consist of at least 20,000 infected computers, it can be seen that the botnet has a theoretical spam-sending capacity of 3 billion emails daily... many users will now understand why their computers work so slowly when their systems are infected..."



This post has been edited by AplusWebMaster: Jul 8 2009, 07:42 PM

FYI...

Malware authors exploiting Conficker
- http://www.techworld.com/security/news/ind...m?newsID=119223
15 July 2009 - "Creators of Waledac malware have used the Conficker botnet as a tool to spread malware of their own, marking the first time Conficker was made available for hire, according to Cisco. Writing in its mid-yearly security report*, Cisco said that this was symptomatic of a wider trend of malware purveyors using established business practices to expand their illegal enterprises. Cisco likened the arrangement between Waledac and Conficker to a partner ecosystem, a term Cisco uses to describe its collaboration with other vendors. Waledac used the Conficker distribution channel to send spam and to expand its own botnet... Web sites that are infected to download malware to unsuspecting visitors will increase, the report predicted. These sites represent nearly 90 percent of all web-based threats, the report says. Creation of botnets would be a particular goal of this type of malware..."
* http://www.cisco.com/en/US/prod/vpndevc/an...ity_report.html

FYI...

Botnet money...
- http://www.viruslist.com/en/analysis?pubid=204792068
July 22, 2009 - "In the past ten years, botnets have evolved from small networks of a dozen PCs controlled from a single C&C (command and control center) into sophisticated distributed systems comprising millions of computers with decentralized control. Why are these enormous zombie networks created? The answer can be given in a single word: money. A botnet, or zombie network, is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. Zombie networks have become a source of income for entire groups of cybercriminals. The invariably low cost of maintaining a botnet and the ever diminishing degree of knowledge required to manage one are conducive to growth in popularity and, consequently, the number of botnets... Botnet owners or developers who have been prosecuted can be counted on the fingers of two hands. Which is not the case with botnets that are live on the Internet: the number of these has exceeded 3600... Without help from users, combating botnets cannot be effective. It is home computers that make up the lion’s share of the enormous army of bots. Neglecting to stick to simple security rules, such as using antivirus software, using strong account passwords and disabling the AutoPlay feature for removable media, can result in your computer becoming another botnet member, providing cybercriminals with your data and resources..."

FYI...

Twitter-based botnet command channel
UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE
- http://asert.arbornetworks.com/2009/08/twi...ommand-channel/
August 13, 2009 - "While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation. The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates. As for the original bot in question that fetches the updates, here’s the VirusTotal analysis*, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them...
UPDATE 14 Aug 2009 - Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil..."

(More detail at the URL above.)

* http://www.virustotal.com/analisis/6a6c334...2139-1249801350
File 40d09b7d94da70ede50866c55f48613c-2358.txt received on 2009.08.09 07:02:30 (UTC)
Result: 19/41 (46.34%)

* http://www.virustotal.com/analisis/14fd37e...311e-1250187288
File gbpm.exe received on 2009.08.13 18:14:48 (UTC)
Result: 9/41 (21.95%)

- http://www.symantec.com/connect/blogs/twittering-botnets
August 14, 2009

Infostealer.Bancos heatmap
- http://www.symantec.com/connect/imagebrows...74211/_original

- http://www.symantec.com/connect/blogs/down...ng-and-prophecy
August 16, 2009 - "... A new variant of this threat has emerged that uses not only Twitter but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B*. Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the RSS feed from an account registered on Jaiku .com to obtain the location of remote files..."
* http://www.symantec.com/business/security_...-99&tabid=2
Discovered: August 16, 2009 = "... may be saved as the following files:
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.exe
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.dll
%Temp%\[SET OF RANDOM NUMBERS]\update.exe (copy of gbpm.exe) ..."



This post has been edited by AplusWebMaster: Aug 17 2009, 03:47 AM

FYI...

Ilomo botnet - All your info are belong to us
- http://blog.trendmicro.com/all-your-info-are-belong-to-us/
August 24, 2009 - "... Ilomo has (been) active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries. Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware... Ilomo ‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection..."

(Screenshot available at the URL above.)

FYI...

Botweb using compromised Linux servers
- http://blog.stopbadware.org/2009/09/11/bot...d-linux-servers
9.11.2009 - "Over at the Unmask Parasites blog*, periodic BadwareBusters.org contributor Denis reports on a botweb ... that he’s been investigating:
'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with common control center involved in malware distribution. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer (the malware they serve infects computers and turns them into zombies).'
The blog post* contains a much more thorough analysis of the issue and is worth a read, especially if you work for a hosting provider or manage Linux-based web servers..."
* http://blog.unmaskparasites.com/2009/09/11...ie-web-servers/

FYI...

Botnet computing power...
- http://blog.trendmicro.com/the-internet-in...d-is-it-really/
Sep. 16, 2009 - "Industry experts have previously estimated that, on average, a compromised machine remains infected for 6 weeks. However, our latest research indicates that this estimate is far from accurate. During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month... The news only gets worse from that point. While three-fourths of the IP addresses in our study were identified with consumer users, the remaining quarter belong to enterprise users. Because a single IP address for these users is typically identified with a single gateway which may, in turn, be connected to multiple machines in an internal network, the actual percentage of enterprise machines affected by malware may be higher than the IP address data suggests. Once a machine becomes compromised, it is not unusual to find it has become part of a wider botnet. Botnets frequently cause damage in the form of malware attacks, fraud, information theft and other crimes. In 2009, virtually all malware tracked by Trend Micro experts are used by cybercriminals to steal information... Overall, botnets control more compromised machines than had been previously believed. Only a handful of criminals (likely a few hundred) have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90 percent of all e-mail worldwide is now spam..."

(More detail and charts available at the URL above.)

FYI...

Conficker still defeats experts
- http://www.theinquirer.net/inquirer/news/1...defeats-experts
22 September 2009 - "... The worm has infected more than five million computers in a botnet that could take out the Internet in some countries... Rodney Joffe, a director of the Conficker Working Group formed to defeat the worm said, "The general agreement in the security world is that Conficker is the largest threat facing us from a cyber crime point of view." The worm, which spreads rapidly among personal computers by exploiting a flaw in Microsoft Windows, first surfaced last November. According to Joffe, "it has proven to be extremely resilient. It's almost impossible to remove." Infected PCs are dragooned into a "botnet" controlled by the Conficker worm's unknown authors, which security researchers fear could be used to launch cyber attacks over the Internet..."
- http://www.confickerworkinggroup.org/wiki/...fectionTracking
2009-09-21

Conficker C P2P Protocol and Implementation
- http://mtc.sri.com/Conficker/P2P/
Last Update: 21 September 2009
> http://mtc.sri.com/Conficker/P2P/#overview

- http://isc.sans.org/tag.html?tag=conficker

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infec...cfeyechart.html



This post has been edited by AplusWebMaster: Sep 26 2009, 05:20 AM

FYI...

Botnet hides its commands...
- http://www.secureworks.com/research/blog/i...as-jpeg-images/
September 29, 2009 - "SecureWorks... has been carefully monitoring the activity of the Monkif/DlKhora botnet. This bot is an example of a Downloader trojan, in that its primary purpose is to receive instructions to download and execute other malware. The trojan also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system. One interesting technique the Monkif botnet utilizes to hide its intent on the network is to encode the instructions to appear as if the command and control server is returning a JPEG file. The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0×4. The malware that CTU has observed being installed by Monkif is a BHO (Browser Helper Object) trojan commonly referred to as ExeDot, which performs Ad Hijacking and Ad Clicking. The botnet makes no attempt to pad the commands to make the data size representative of a true JPEG. In addition, the data will not parse to a legitimate JPEG. These attributes may provide opportunities for generic countermeasures to detect the traffic by identifying malformed image data..."

FYI...

2,000 legit sites serve malware
- http://www.theregister.co.uk/2009/10/16/gu...web_compromise/
16 October 2009 - "Cybercriminals have laced about 2,000 legitimate websites with a potent malware cocktail that surreptitiously attacks people who browse to them, a security researcher warned Friday. Unlike past outbreaks of the mass web attack known as Gumblar, this round actually plants exploit code on the website servers themselves. Curiously, the directory and file name of the malicious payload is in most cases unique and identical to a legitimate file that existed on the website. The trick makes it extremely difficult for webmasters and anti-malware programs to detect the threats. "This is an ugly can of worms," said Mary Landesman, the ScanSafe security researcher who warned of the mass attack*. "Any time you see a new technique evolve like this the concern is we'll be seeing much more of this in the future, and certainly it complicates the remediation of the compromised website." Previously, Gumblar planted links in thousands of compromised websites that silently redirected users to a handful of servers that hosted the exploits. That method allowed white hats to foil the attack by shutting down one or two domains. With the malware embedded directly in the compromised websites, the take-down process is significantly more time consuming. Also making matters hard for Landesman to get the sites cleaned up: Most of the websites belong to small businesses that cater to non-English speakers..."
Gumblar Website Botnet Awakes
* http://blog.scansafe.com/journal/2009/10/1...net-awakes.html

** http://www.virustotal.com/analisis/7c9d0a6...05d1-1255452285
File HiwA7.dat received on 2009.10.13 16:44:45 (UTC)
Result: 7/41 (17.07%)

Zeus Bot Joins Gumblar Attacks
- http://blog.scansafe.com/journal/2009/10/2...ar-attacks.html
October 20, 2009 - "... unlike traditional compromises which simply inject pointers to malware hosted on an attacker-owned domain, in these attacks the compromised domain is also acting as host for the malware itself. This method of attack complicates remediation via technologies that rely on blacklisting because the number of compromised websites (now acting as malware hosts) is in the thousands. It also makes the Gumblar compromised websites a triple threat - potentially exposing visitors to the malware contained on the compromised site, and the malware loaded from ncenterpanel.cn*, and the malware loaded from other compromised sites."
* http://google.com/safebrowsing/diagnostic?...centerpanel.cn/
"...the last time suspicious content was found on this site was on 2009-10-28. Malicious software includes 1209 trojan(s), 876 scripting exploit(s)... this site has hosted malicious software over the past 90 days. It infected 487 domain(s)..."



This post has been edited by AplusWebMaster: Oct 28 2009, 06:56 AM

FYI...

Zbot botnet - new phishing attacks
- http://www.darkreading.com/shared/printabl...cleID=220700200
Oct. 19, 2009 - "The massive Zbot botnet that spreads the treacherous Zeus banking Trojan has been launching a wave of relatively convincing phishing attacks during the past few days - the most recent of which is a phony warning of a mass Conficker infection from Microsoft that comes with a free "cleanup tool." The wave of attacks began early last week targeting corporations in the form of email messages that alerted victims of a "system upgrade." Email is accompanied by poisoned attachments and links; in some cases it poses as a message from victims' IT departments, including their actual email domains, and alerts them about a "security upgrade" to their email accounts. The message then refers victims to a link to reset their mailbox accounts, and the link takes them to a site that looks a lot like an Outlook Web Access (OWA) page (PDF), but instead infects them with the Zeus Trojan. Today, researchers at F-Secure spotted the botnet spamming out malware-laden email that tries to trick recipients with a convincing lure messages that says, "On October 22, 2009 server upgrade will take place"... The Shadowserver Foundation has seen multiple versions of Zeus-related attacks lately, including the Conficker "cleanup utility" that poses as an email from Microsoft, according to Andre DiMino, director of Shadowserver. And the targeted Outlook attacks use real domains: "What is also interesting about the recent campaign is that the email comes from the targeted user's own domain with an 'administrator' prefix. The link is disguised to look like it's from an update server on the local domain, but instead points to the malicious location"..."

- http://atlas.arbor.net/
"... We are also seeing email spam attacks to spread malware from the Bredolab botnet, from the ZBot botnet, and a Rogue AV downloader purporting to be an anti-conficker system update. "



This post has been edited by AplusWebMaster: Oct 21 2009, 10:58 AM

FYI...

Bredolab trojan - botnet targets Facebook users
- http://www.computerworld.com/s/article/914...s?taxonomyId=16
October 28, 2009 - "A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages (email SPAM), according to security researchers. The attack, which began Monday afternoon, according to e-mail security vendor Cloudmark*, targets Facebook users with a spoofed message that claims recipients' Facebook passwords have been reset as a security measure. The messages, which come bearing subject lines such as "Facebook Password Reset Confirmation," include a file attachment that supposedly contains the new password. In fact, the attached .zip file includes a Trojan downloader, dubbed "Bredlab" by some antivirus companies, "Bredolab" by others... At least 8% of the users who have received one of the fake messages have tagged it as legitimate, going to the trouble of pulling the message from their junk folder - where Cloudmark has placed it - because they think it's real... Cloudmark has no data on how many users were actually duped into opening the .zip file and running the enclosed .exe that installs Bredolab..."
* http://news.cnet.com/8301-27080_3-10385498-245.html

> http://forums.whatthetech.com/SPAM_frauds_...st&p=606159

FYI...

Conficker infects 7M computers
- http://www.computerworld.com/s/article/914...ts_7M_computers?
October 30, 2009 - "The Conficker worm has passed a dubious milestone. It has now infected more than 7 million computers, security experts estimate. On Thursday, researchers at the volunteer-run Shadowserver Foundation logged computers from more than 7 million unique IP addresses*, all infected by the known variants of Conficker. They have been able to keep track of Conficker infections by cracking the algorithm the worm uses to look for instructions on the Internet and placing their own "sinkhole" servers on the Internet domains it is programmed to visit. Conficker has several ways of receiving instructions, so the bad guys have still been able to control PCs, but the sinkhole servers give researchers a good idea how many machines are infected..."
* http://www.confickerworkinggroup.org/wiki/...fectionTracking

Conficker Eye Chart
- http://www.confickerworkinggroup.org/infec...cfeyechart.html

FYI...

Gumblar attacks spread to thousands of new sites
- http://threatpost.com/en_us/blogs/gumblar-...ew-sites-103009
October 30, 2009 - "Gumblar, the nasty bit of malware that was part of a mass SQL injection on legitimate Web sites this spring, is continuing to spread and its creators have been busy lately, compromising hundreds of new sites, leading to a massive new wave of infections of end-user PCs... In Gumblar's case, the iFrame redirection is the tactic of choice and it has been quite effective. In its original form Gumblar was redirecting victims to one of two remote sites, Gumblar .cn or Martuz .cn. The latest incarnation is pointing victims to thousands of servers in more than 200 countries that are now spreading Gumblar, according to research by Michael Molsner of Kaspersky Lab*. More than 7,200 servers spreading Gumblar are in the U.S., and many of the sites compromised around the globe are in the .gov and .edu domains. "Our accumulated data for one week showed 443748 access hits in total - and that is only a part of the whole incident. For several days after we noticed this new threat and added detection of the malicious files targeting Adobe Reader and Flash Player, there was surprisingly little talk about it in IT security circles. The 'new gumblar' took some time to get noticed more widely and _still_ seems unnoticed by many. However, it is very active indeed and as a side effect several PC vendors support lines have been flooded with queries about sudden reboots etc. There are also reports that machines infected with a buggy version of gumblar fail to boot completely, leaving the screen black and only the mouse pointer visible."
Experts say that many of the machines that have been infected with Gumblar and other similar pieces of malware often are re-infected once they've been cleaned as users don't realize that their browsers are vulnerable and that the seemingly safe sites they're visiting are in fact serving malware."
* http://www.viruslist.com/en/weblog?weblogid=208187886
October 30, 2009

- http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... last time Google visited this site was on 2009-11-01, and the last time suspicious content was found on this site was on 2009-11-01... It infected 6073 domain(s)..."
- http://google.com/safebrowsing/diagnostic?site=martuz.cn/
"... last time Google visited this site was on 2009-11-01, and the last time suspicious content was found on this site was on 2009-11-01... It infected 8328 domain(s)..."

FYI...

Fast Flux by the Numbers - Q3 2009
- http://asert.arbornetworks.com/2009/11/q3-...by-the-numbers/
November 2, 2009 - "... This year’s seen a huge uptick in Avalanche domains**, and the release of notes from ICANN on the Fast Flux Working Group* as well as a specific note around Avalanche. Arbor, like a few others, has been actively working with registries to address fast flux... Comparing to Q2... the biggest gainers are .tk and .eu, with .uk coming in as a new top 10 player. We’ve been trying to work with .eu as they are being targeted, along with .uk, by the Avalanche guys. However, our efforts in .eu are largely fruitless while Nominet in the UK has defended .uk quite handily. The .tk stuff we’re looking at, as it could be a false positive due to the way that .tk hosts stuff... Across all domain names, in Q3 we saw more TLDs hit, some 34 (against Q2’s 26 distinct TLDs). The attackers are striking at more TLDs in hopes of finding the soft spots, ones that just don’t respond. The average lifetime of a fast flux domain name: 418063 seconds, or about 9.7 days. CN domains are taken down within 7.8 days, EU domain names within 1.6 days, COM domains within 7.23 days, and TK domains within 1.44 days... Average lifetime of all domains in Q2: 21 days. Three weeks! That’s success now that we’re down to under 10 days. A cursory examination of this data suggests that while numbers are up, response times are getting better. This may be something worth cheering. Also, it appears that fast flux is still being used for the same old stuff: phishing, malware, malvertising, child porn, and the like."

(Charts available at the URL above.)

- http://atlas.arbor.net/summary/fastflux

Fast Flux Working Group
* https://st.icann.org/pdp-wg-ff/index.cgi?fast_flux_pdp_wg

** http://threatpost.com/en_us/blogs/avalanch...-attacks-102309