Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads, will be removed once you have signed in.

Create an Account Login to Account


Photo

Pandemic of the botnets 2012 ...


  • Please log in to reply
38 replies to this topic

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 06 March 2012 - 10:33 AM

FYI...

DNS Changer gets extension for infected PCs fix...
- https://krebsonsecur...r-infected-pcs/
Mar 6, 2012 - "Millions of PCs sickened by a global computer contagion known as DNSChanger were slated to have their life support yanked on March 8. But an order handed down Monday by a federal judge will delay that disconnection by 120 days to give companies, businesses and governments more time to respond to the epidemic. The reprieve came late Monday, when the judge overseeing the U.S. government’s landmark case against an international cyber fraud network agreed that extending the deadline was necessary “to continue to provide remediation details to industry channels approved by the FBI”..."
___

DNS Changer Eye Chart:
New: http://www.dcwg.org/detect/

- https://www.us-cert....changer_malware
April 24, 2012
___

Tool available for those affected by the DNS-Changer
- https://www.avira.co...etail/kbid/1199
Last updated: Feb 2, 2012 - "... a restart of Windows will be necessary after the execution of the tool and a successful repair."

Download Avira DNS Repair-Tool
- https://www.avira.co...DNSRepairEN.exe
___

- https://www.us-cert....t_click_malware
updated March 7, 2012 - "... new deadline is July 9, 2012..."

:ph34r: :ph34r:

Edited by AplusWebMaster, 25 April 2012 - 07:53 AM.

Advertisement


#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 26 March 2012 - 04:18 AM

FYI...

Zeus botnets disrupted ...
- https://blogs.techne...Redirected=true
25 Mar 2012 - "... This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71* to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot). Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat. The Zbot/Zeus threat has targeted the financial sector for quite some time... Millions of dollars of fraud are a result of this family of threat and it has taken cross-industry collaboration to take effective action against it. Microsoft has partnered with FS-ISAC, NACHA, Kyrus Tech, F-Secure and others to disrupt a large portion of the command and control infrastructure of various botnets using Zbot, Spyeye and Ice IX variants of the Zeus family of malware... MMPC is committed to partnering across the industry to help disrupt threats to the Internet and our customers. We will have more to share on Project MARS and related operations as we move forward."
* https://blogs.techne...Redirected=true

- https://www.f-secure...s/00002337.html
March 26, 2012 - "... abuse.ch's ZeuS Tracker* are currently reporting 350 C&C servers online, so there's plenty more work to do done..."
* https://zeustracker.abuse.ch/index.php
___

- http://www.theinquir...st-zeus-botnets
Mar 26 2012 - "... Microsoft said it has detected more than 13 million suspected infections of this malware worldwide..."
- http://www.theregist...otnet_takedown/
March 26, 2012
- https://www.nytimes....line-crime.html
March 26, 2012

:blink: :ph34r:

Edited by AplusWebMaster, 27 March 2012 - 03:03 AM.


#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 28 March 2012 - 07:53 AM

FYI...

Kelihos.B botnet sinkholed...
- http://blog.crowdstr...0000-nodes.html
March 28, 2012 - "... CrowdStrike has teamed up with security experts from Dell SecureWorks, the Honeynet Project and Kaspersky to take out a peer-to-peer botnet which we believe is the newest offspring of a family that has been around since 2007: Kelihos.B, a successor of Kelihos, Waledac and the Storm Worm. Traditionally, the botnets in this family are known for spamming, but the newest version is also capable of stealing bitcoin wallets from infected computers... Just like its brothers, Kelihos.B relies on a self-organizing, dynamic peer-to-peer topology to make its infrastructure more resilient against takedown attempts. It further uses a distributed layer of command-and-control servers with hosts registered in countries like Sweden, Russia, and Ukraine that are in turn controlled by the botmaster... We are working with our partners to inform ISPs about infections in their network and make sure that Kelihos.B remains safely sinkholed..."

- https://krebsonsecur...os-spam-botnet/
March 28, 2012

OS versions - botted w/Kelihos.B
- https://www.secureli...g/208193433.jpg
Bot locations:
- https://www.secureli...g/208193434.jpg

- http://www.darkreadi...le/id/232700418
Mar 28, 2012

- http://www.securewor...otnet_takeover/
28 March 2012

- https://www.virustot...e3aae/analysis/
File name: db95341667fb5e5553a1cb0113e21205
Detection ratio: 13/42
Analysis date: 2012-03-27 19:51:52 UTC
- https://www.virustot...4da4c/analysis/
File name: 84cbcfababd4eafd1a8a4872b9169362
Detection ratio: 15/42
Analysis date: 2012-03-27 20:06:04 UTC

:ph34r: :ph34r:

Edited by AplusWebMaster, 30 March 2012 - 06:18 AM.


#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 30 March 2012 - 05:01 AM

FYI...

Kelihos.B - still live and social
- http://blog.seculert...and-social.html
March 29, 2012 - "... Several weeks ago, Seculert discovered that Kelihos.B had found a new and "social way" to expand, using an already-known social worm malware*, but now it had started targeting Facebook users... Up to now Seculert has identified more than 70,000 Facebook users that are infected with the Facebook worm, and sending the malicious links to their Facebook friends...
[Pie chart/infections by country]: http://3.bp.blogspot...fbwormstats.png
... at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm. Also, there is there is still communication activity of this malware with the Command-and-Control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam. Some might call this "a new variant", or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B."
* http://blog.emsisoft...got-u-surprise/

:( :ph34r:

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 05 April 2012 - 04:19 AM

FYI...

550,000 strong Mac botnet
- http://news.drweb.co...&c=5&lng=en&p=0
April 4, 2012 - "... Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507)... Over 550,000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback* modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth..."
* http://vms.drweb.com...kDoor.Flashback

Charted: https://st.drweb.com...pril/map2.1.png

- https://www.secureli...otnet_confirmed
April 06, 2012 Kaspersky - "... we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses... More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs..."
___

- https://krebsonsecur...-mac-java-flaw/
April 4th, 2012

Trojan-Downloader:OSX/Flashback.I
- https://www.f-secure...ashback_i.shtml
Detection Names: Exploit:Java/Flashback.I, Trojan-Downloader:OSX/Flashback.I, Trojan:OSX/Flashback.I, Backdoor: OSX/Flashback.I
Category: Malware
Type: Trojan-Downloader
Platform: OSX
"... Manual Removal... recommended only for advanced users..."

:ph34r: <_<

Edited by AplusWebMaster, 07 April 2012 - 08:42 PM.


#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 10 April 2012 - 10:35 AM

FYI...

Flashback botnet checker ...
- http://atlas.arbor.n...dex#-1335098248
April 09, 2012 - "This resource allows a manual pasting of a OSX systems unique identifier into a form that will show if that machine is part of the Flashback botnet.
Analysis: This tool is provided by Dr. Web who first published details on the OSX Flashback infections. It does not scale well but allows for manual checking and can be helpful for end users."
Source: http://public.dev.drweb.com/april/
"Dear Mac OS user..."

- http://atlas.arbor.n...ndex#-824346427
April 09, 2012
___

Symantec OSX.Flashback.K Removal Tool
- http://www.symantec....-041214-1825-99
April 12, 2012

F-secure Flashback Removal Tool
- http://www.f-secure....backRemoval.zip
"... tool linked above has been updated April 12th..."

Infection by OSX version - chart
- https://www.f-secure...cOSXVerions.png

> http://forums.whatth...=...st&p=781131
April 12, 2012

:blink:

Edited by AplusWebMaster, 24 April 2012 - 07:23 AM.


#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 24 April 2012 - 07:23 AM

FYI...

Flashback numbers -not- going down - still over half a million
- http://www.h-online....iew=zoom;zoom=1
Graphic - 24 April 2012

- http://www.intego.co...thout-password/
April 23, 2012

:ph34r: :ph34r:

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 22 May 2012 - 03:18 PM

FYI...

Google: infected users affected by the DNSChanger malware ...
- http://googleonlines...dnschanger.html
May 22, 2012 - "Starting today we’re undertaking an effort to notify roughly half a million people whose computers or home routers are infected with a well-publicized form of malware known as DNSChanger. After successfully alerting a million users last summer to a different type of malware, we’ve replicated this method and have started showing warnings via a special message* that will appear at the top of the Google search results page for users with affected devices...
* http://4.bp.blogspot...ger warning.png
... Our goal with this notification is to raise awareness of DNSChanger among affected users. We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results. While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices. We also can’t guarantee that our recommendations will always clean infected devices completely, so some users may need to seek additional help. These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."
___

DNS Changer Eye Chart:
>> http://www.dcwg.org/detect/

:ph34r: :ph34r:

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 03 July 2012 - 02:31 PM

FYI...

Zbot relentless - Anti-emulations
- http://www.symantec....anti-emulations
July 3, 2012 - "A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed — with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection... The effort that has been made by the Trojan.Zbot malware writers is not limited to one, or even a couple of techniques. In most malware variants there are many simple or complicated techniques to help avoid detection... These techniques are part of ever-evolving malware techniques, especially from professional malware writers who invest a large amount of time researching new techniques to -evade- antivirus detection..."

Botnet infections in the enterprise
- http://atlas.arbor.n...index#730205984
July 03, 2012
The scope and costs of botnet infections require a change in tactics.
Analysis: While automation is critical, automated security systems such as IDS's, firewalls, vulnerability scanning solutions, etc. are -not- a fool-proof solution and must be augmented and run by skilled practitioners. Attackers know how to bypass many security systems, and without skilled practitioners in the loop, this trend will continue...

:ph34r: <_<

Edited by AplusWebMaster, 03 July 2012 - 07:08 PM.


#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 06 July 2012 - 08:34 AM

FYI...

DNSchanger shutdown ...
- http://www.theregist...otnet_shutdown/
5 July 2012 - "An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday...
DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines. Shutting it down, however, will leave computers unable to access websites and email properly without a fix being applied. The FBI had been due to shut down DNSChanger in March, but left it up for an extra three months to allow more time for users to disinfect their systems. Companies and governments have made a big effort to clean systems with the help of the DNS Changer Working Group (DCWG)*, which was set up by security experts to manage the problems. But according to the latest DCWG data, there are still 303,867 infected systems out there..."

* http://www.dcwg.org/detect/
"... quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections..."

:ph34r: :ph34r:

Advertisement


#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 19 July 2012 - 09:46 AM

FYI...

Grum botnet takedown ...
- http://blog.fireeye....afe-havens.html
2012.07.18 - "... the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned... According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well..."

- http://h-online.com/-1647692
19 July 2012 - "... The botnet is believed to have been responsible for as much as 18% of total global spam, which amounts to approximately 18 billion messages a day..."

Spam Stats
- https://www.trustwav..._statistics.asp
Week ending July 22, 2012

:ph34r: :blink:

Edited by AplusWebMaster, 23 July 2012 - 07:41 AM.


#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 03 August 2012 - 02:37 PM

FYI...

APTs more prolific ...
- http://www.darkreadi...le/id/240004827
Aug 02, 2012 - "... cyberespionage malware and activity is far more prolific than imagined: (Joe Stewart - Dell Secureworks) has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing... Stewart also unearthed a private security firm located in Asia - not in China - that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's "friendly" with the U.S... Stewart plans to continue hunting down APT attackers... The full report is here*."
* http://www.securewor...ts/chasing_apt/
23 July 2012 - "... tracking numerous digital elements involved in cyber-espionage activity:
• More than 200 unique families of -custom- malware used in cyber-espionage campaigns.
• More than 1,100 domain names registered by cyber-espionage actors for use in hosting malware C2s or spearphishing.
• Nearly 20,000 subdomains of the 1,100 domains (plus a significant number of dynamic DNS domains) are used for malware C2 resolution.
This quantity of elements rivals many large conventional cybercrime operations. However, unlike the largest cybercrime networks that can contain millions of infected computers in a single botnet, cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets, each of which may only control a few to a few hundred computers at a time. Therefore, each time an "APT botnet" is discovered, it tends to look like a fairly small-scale operation. But this illusion belies the fact that for every APT botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks..."
(More detail at the Secureworks URL above.)

:ph34r: <_< :ph34r:

Edited by AplusWebMaster, 03 August 2012 - 02:41 PM.


#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 10 September 2012 - 05:05 PM

FYI...

Godaddy DDoS attack in progress
- https://isc.sans.edu...l?storyid=14062
Last Updated: 2012-09-10 21:39:54 UTC ...(Version: 2)
Update: GoDaddy appears to make some progress getting services back online. The web site is responding again. DNS queries appear to be still timing out and logins into the site fail. (17:30 ET) GoDaddy is currently experiencing a massive DDoS attack. "Anonymous" was quick to claim responsibility, but at this point, there has be no confirmation from GoDaddy. GoDaddy only stated via twitter: "Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it." The outage appears to affect the entire range of GoDaddy hosted services, including DNS*, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy)..."

* Alternate DNS: http://208.69.38.205/

:ph34r: <_< :ph34r: :(

#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 September 2012 - 06:39 AM

GoDaddy's network status:
- http://support.godad.../system-alerts/

"Recently Resolved Issues
Resolved September 10, 2012 at 6:41 PM
... Known Issues
Updated:
06:22 MST
No issues to report"
___

- https://www.godaddy....ews_item_id=410
"... We have determined the service outage was due to a series of internal network events that corrupted router data tables... We have implemented measures to prevent this from occurring again. At no time was any customer data at risk or were any of our systems compromised...
- Scott Wagner Go Daddy CEO"

.

Edited by AplusWebMaster, 11 September 2012 - 01:50 PM.


#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,380 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 13 September 2012 - 09:24 AM

FYI...

Nitol botnet takedown
- https://blogs.techne...Redirected=true
13 Sep 2012 - "... the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed “Operation b70,” this legal action and technical disruption proceeded from a Microsoft study which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet... On Sept. 10, the court granted Microsoft’s request for an ex parte temporary restraining order against Peng Yong, his company and other John Does. The order allows Microsoft to host the 3322 .org domain, which hosted the Nitol botnet, through Microsoft’s newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322 .org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption. This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322 .org domain, and will help rescue people’s computers from the control of this malware... Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware; today’s action is a step toward preventing that... If you believe your computer might be infected with malware, we encourage you to visit http://support.microsoft.com/botnets as this site offers free information and tools to analyze and clean your computer..."

- https://krebsonsecur...f-infected-pcs/
Sep 19, 2012 - "... Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home to those 70,000 malicious domains... graphic* provided by Microsoft..."
* https://krebsonsecur.../09/mal3322.png
___

- https://blog.damball...m/archives/1806
Sep 13, 2012 - "... Nitol... employs multiple domains from several free dynamic DNS providers, including -other- four-digit .ORG domain services such as
6600 .org, 7766 .org, 2288 .org and 8866 .org..."

(Highly recommend blocking those addresses also, if you haven't already.)

:ph34r: :ph34r: :ph34r:

Edited by AplusWebMaster, 19 September 2012 - 12:21 PM.

Advertisement



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users