51 replies to this topic

[AplusWebMaster]

FYI...

Conficker worm - Akamai report
- http://www.computerw...way_Akamai_says?
January 15, 2010 - "Variants of the Conficker worm were still active and spreading* during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies... During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer. Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent..."
* http://www.conficker...nTracking#toc12

Conficker Working Group
- http://www.conficker...group.org/wiki/

> http://www.team-cymr...itoring/Graphs/

- http://blog.trendmic...ownadconficker/
Jan 26, 2010

Edited by AplusWebMaster, 26 January 2010 - 11:04 AM.

[AplusWebMaster]

FYI...

Pushdo DDoS'ing or Blending In?
- http://www.shadowser...lendar/20100129
29 January 2010 - "Is your site on the list we have posted here* or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses... it seems the Pushdo** botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites..."

* http://www.shadowser...ushdo_sites.txt

** http://www.securewor...threats/pushdo/

>>> (More detail at the Shadowserver URL above.)

(Hundreds) under bizarre SSL assault
- http://www.theregist...ssl_web_attack/
29 January 2010 20:55 GMT

- http://isc.sans.org/...ml?storyid=8125
Last Updated: 2010-01-30 11:09:16 UTC

- http://www.m86securi...trace.1230~.asp
January 26, 2010

- http://www.darkreadi...cleID=222600679
Feb. 1, 2010

- http://isc.sans.org/...ml?storyid=8131
Last Updated: 2010-02-02 15:57:18 UTC

Edited by AplusWebMaster, 02 February 2010 - 04:29 PM.

[AplusWebMaster]

FYI...

Russian botnet tries to kill rival
- http://www.computerw...s_to_kill_rival?
February 9, 2010 - "An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers. Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus. The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords. Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses. Trojans such as Zeus and Spy Eye steal online banking credentials..."

- http://www.theregist...e_bots_vs_zeus/
9 February 2010

[AplusWebMaster]

FYI...

E-mail malware prolific
- http://www.theregist..._botnet_trends/
17 February 2010 - "... the Lethic botnet*** has returned from the grave since it was decapitated by the combined efforts of security firms and ISPs in early January... Symantec warned** on Wednesday about a new targeted email attack designed to seed agents of the Cutwail botnet on corporate systems. Botnet clients offer a handy tool for information stealing and launching denial of service attacks, as well as distributing spam. A recent study by net security firm Damballa ranks the ten worst botnets by number of infections within enterprise networks. This survey* rates the infamous ZeuS spyware agent as the greatest menace to corporate security, with the Koobface worm, which spreads via messages on social networks, a close second."
* http://blog.damballa.com/?p=569
February 16, 2010

** http://www.symantec....redolab-malware
February 17, 2010

*** http://www.m86securi...trace.1241~.asp
February 16, 2010

- http://urgentcomm.co...threats-201002/
Feb 1, 2010 - "... the black market for corporate information is now worth more than the international drug trade, and these thieves' practices have become a sophisticated operation that often involves hiring affiliates willing to install malicious software on thousands of devices for as much as $100 per device..."

Edited by AplusWebMaster, 18 February 2010 - 02:52 AM.

[AplusWebMaster]

FYI...

ZeuS infects nearly 2,500 companies...
- http://online.wsj.co...3834150536.html
FEBRUARY 17, 2010 - "Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach... Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found. In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email. They also broke into computers at 10 U.S. government agencies... The computers were infected with spyware called ZeuS, which is available free on the Internet in its basic form... Evidence suggests an Eastern European criminal group is behind the operation, likely using some computers in China because it's easier to operate there without being caught...There are some electronic fingerprints suggesting the same group was behind a recent effort to dupe government officials and others into downloading spyware via emails purporting to be from the National Security Agency and the U.S. military..."

- http://www.theregist...ve_hack_attack/
18th February 2010 - "... The infections by a variant of the Zeus botnet began in late 2008 and have turned more than 74,000 PCs into remote spying platforms that have siphoned highly proprietary information out of at least 10 federal agencies and thousands of companies... The researchers were also surprised to find the infected machines working hand-in-hand with malware that's generally considered to rival Zeus. More than half of the compromised PCs were also infected by Waledac..."

[AplusWebMaster]

FYI...

Waledac decapitated...
- http://www.theregist...ledac_takedown/
25 February 2010 - "Microsoft has won a court-issued take-down order against scores of domains associated with controlling the spam-spewing Waledac botnet. The software giant's order allows the temporary cut-off of traffic to -277- Internet domains that form command and control nodes for the network of compromised machines. Infected (zombie) machines are programmed to regularly poll these control points for instructions and spam templates. The .com domains, registered in China, will be sin-binned by VeriSign, at least temporarily decapitating the network..."

Waledac Tracker Summary Data
- http://www.sudosecur...ledac/index.php

- http://microsoftonth...on-botnets.aspx
24 February 2010

- http://www.shadowser...lendar/20100324
24 March 2010 - "... while Waledac was not the *worst* or "spammiest" botnet out there, this effort was not in vain. Success is not measured in the percentage of spam reduced over a weeks time. Success in this arena is in the advancement of the 'arsenal' and in breaking new ground in the analysis and disruption of 'notorious' botnets, no matter how they're defined "

Edited by AplusWebMaster, 24 March 2010 - 08:29 PM.

[AplusWebMaster]

FYI...

Mariposa botnet takedown
- http://www.theregist..._bust_analysis/
3 March 2010 - "... Defence Intelligence teamed up with academics at Georgia Tech Information Security Center and security experts at PandaLabs and law enforcement to form the Mariposa Working Group in order to eradicate the botnet and bring the perpetrators to justice. The Mariposa Working Group infiltrated the command-and-control structure of Mariposa to monitor the communication channels that relayed information from compromised systems back to the hackers who run the botnet. Analysis of the command system laid the groundwork for the December 2009 shutdown of the botnet, as well as shedding light on how the malware operated and provided a snapshot of the current state of the underground economy. Mariposa (Spanish for butterfly) bonnet malware spread via P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, exposed machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of compromised systems. The botmasters made money by selling parts of the botnet to other cybercrooks, installing pay-per-install toolbars, selling stolen credentials for online services and laundering stolen bank login credentials and credit card details via an international network of money mules. Search engine manipulation and serving pop-up ads was also part of the illegal business model behind the bonnet... when the December shutdown operation happened, the gang’s leader, alias Netkairo, panicked in his efforts to regain control of the botnet. Netkairo made the fatal error of connecting directly from his home computer instead of using the VPN, leaving a trail of digital fingerprints that led to a series of arrests two months later. A blog post by Panda Software* explains what happened next..."
* http://pandalabs.pan...ariposa-botnet/
03/3/10 - "In May 2009, Defence Intelligence announced the discovery of a new botnet, dubbed “Mariposa”. This discovery was followed by months of investigation, aimed at bringing down the criminal network behind what was to become one of the largest botnets on record... Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions. Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history. On February 3, 2010, the Spanish Civil Guard arrested Netkairo. After the arrest of this 31-year-old Spaniard, police seized computer material that led to the capture of another two Spanish members of the gang: J.P.R., 30, a.k.a. “jonyloleante”, and J.B.R., 25, a.k.a. “ostiator”. Both of them were arrested on February 24, 2010. Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries..."

- http://blogs.technet...osa-botnet.aspx
March 04, 2010

- http://blog.trendmic...ators-captured/
March 04, 2010

Mariposa stats
- http://pandalabs.pan...mariposa-stats/
03/10/10

Edited by AplusWebMaster, 16 March 2010 - 11:23 AM.

[AplusWebMaster]

FYI...

Wiseguys botnet...
- http://www.avertlabs...-sports-tickets
March 5, 2010 - "... This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices. According to the indictment*, the distributed software was developed by some programmer accomplices in Bulgaria... Unlike botnets we frequently encounter, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million. The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet:
• Monitored the online ticket vendors’ websites for the exact moment that tickets to popular events went on sale
• Opened thousands of connections at the instant that tickets went on sale
• Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), thus speeding ahead of legitimate buyers
• Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets almost instantly
• Filled in all the fields necessary to complete the purchases, including customer credit card information and false e-mail addresses..."
* http://media.nj.com/.....20- Filed.pdf

[AplusWebMaster]

FYI...

Zeus botnet C&C - partial takedown
- http://www.theregist..._zeus_takedown/
10 March 2010 - "At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world's most nefarious cyber operations. The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known as Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus. Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses. The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP's customers, law-abiding or otherwise, were immediately unable to connect to the outside world..."

- http://www.krebsonse...nocked-offline/
March 10, 2010 - "... Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet..."

- http://www.abuse.ch/?p=2417
March 11, 2010 - "... now being routed by RTCOMM-AS (AS8342 RTComm.RU), located in Russia..."
*** UPDATE 2010-03-11 21:30 (UTC) - "Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increased from 149 -up- to 191..."
*** UPDATE 2010-03-12 11:10 (UTC) ***
Another update: Troyak has changed their upstream provider again and is now being routed by NLINE-AS (AS25189 – JSC Nline)...
- http://www.google.co...c?site=AS:25189

AS:25189
- http://stopbadware.o...ports/asn/25189
AS:8342
- http://stopbadware.o...eports/asn/8342

- http://www.google.co...ic?site=AS:8342
"... 1229 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time suspicious content was found was on 2010-03-12... 52 site(s) on this network... appeared to function as intermediaries for the infection of 199 other site(s)... 78 site(s)... that infected 1594 other site(s)..."

- http://www.cio.com/a...oyak_Resurfaces

Edited by AplusWebMaster, 12 March 2010 - 07:33 AM.

[AplusWebMaster]

FYI...

Pushdo cracks captchas at MS Hotmail/Live.com/MSN webmail
- http://blog.webroot....audio-captchas/
March 22, 2010 - "A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft’s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages. The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It’s spamming through the Hotmail/Live.com Web mail interface... during the course of the spam sessions, the spy apparently pulls down “audio captchas” and successfully sends back the correct response, which permits it to continue spamming... The spam emails themselves are short, written by someone who doesn’t have a strong grasp of English grammar..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

TT-Bot DDoS Bot Analysis
- http://asert.arborne...s-bot-analysis/
April 1, 2010 - "We recently spotted this family in our malware zoo, another HTTP DDoS bot. This one’s identifying mark is the string “User-Agent: TT-Bot 1.0.0″ in the client requests. We do not know if this is a kit, this one appears to be in limited use. We have not explored the server-side of it... Static analysis suggests that the code is written in MS VB 6... At this time this botnet is still live and issuing commands. We do not know how big this botnet is."

ZeuS banking trojan botnet
- http://www.securewor...h/threats/zeus/
March 11, 2010 - "... ZeuS is a well-known banking Trojan horse program, also known as crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored... ZeuS has evolved over time and includes a full arsenal of information stealing capabilities... observed other ZeuS databases for sale on various underground black markets. Their size is typically over 10GB, which is a botnet of approximately 23,000 infected computers (bots)... "

BlackEnergy botnet
- http://www.forbes.co...anks_print.html
03.03.10 - "... Secureworks issued a report describing a new cybercriminal group that aims a one-two punch at banks. First it collects banking customers' passwords using a variation of the so-called BlackEnergy software, which has infected thousands of computers worldwide to create a "botnet" of hijacked machines. The machines use the collected passwords to move funds into the hackers' accounts, and then typically delete files from the user's computer to cover their tracks. But what follows that fraud is an unlikely step: a cyberattack known as a "distributed denial-of-service," using a flood of data requests from the infected computers to take down the company's online banking service. "The same botnet that's being used to steal money from banks is launching these denial-of-service attacks on them," says Secureworks* researcher Joe Stewart..."
* http://www.securewor...s/blackenergy2/
March 3, 2010 - "BlackEnergy, a popular DDoS Trojan, gained notoriety in 2008 when it was reported to have been used in the cyber attacks launched against the country of Georgia in the Russia/Georgia conflict. BlackEnergy was authored by a Russian hacker. A comprehensive analysis* of the version of BlackEnergy circulating at the time was done in 2007 by Arbor Networks... There is no distinct antivirus trojan family name that corresponds to the BE2 dropper or rootkit driver. Antivirus engines that detect it either label it with a generic name, or as another trojan - most often it is mis-identified as "Rustock.E", another rootkit trojan from a different malware family. The BlackEnergy rootkit does share some techniques in common with the Rustock rootkit..."
* http://atlas-public....ot Analysis.pdf
"... HTTP-based botnet used primarily for DDoS attacks..."

- http://blogs.forbes....st-malware-now/
March 30, 2010

Edited by AplusWebMaster, 01 April 2010 - 07:21 PM.

[AplusWebMaster]

FYI...

Koobface spreads on Facebook and Twitter
- http://www.theregist...bface_takedown/
23 April 2010 - "Security experts in Hong Kong last week succeeded in taking down a key component of the Koobface botnet, only to witness the system popping up in China. The Koobface FTP grabber component uploaded stolen FTP user names and passwords to the remote server, which was under the control of cybercrooks... In response, the Koobface gang moved their server to a hosting firm in China. Last month the command and control servers associated with Koobface underwent a complete refresh... Koobface spreads via messages on social networking sites like Facebook and Twitter. Cybercrooks behind the sophisticated malware make their money by distributing scareware packages onto compromised machines, and by other cyberscams, including information harvesting. The worm gets less press than the malware associated with the Google China attacks or the high-profile Conficker worm, though experts consider it both more sophisticated and a bigger security threat..."
* http://blog.trendmic...sting-to-china/

[AplusWebMaster]

FYI...

New ZeuS variants
- http://blog.trendmic...-zeus-variants/
Apr. 26, 2010 - "... Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses continues to thwart both antivirus and other security solutions as well as the efforts made by the security industry. This time, the malware upholds it notorious reputation with a new version related to previous detections TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ. ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites. They have rapidly become popular tools for cybercriminals to use, thanks to exceptional information-stealing routines and rootkit capabilities, which allows them to stay stealthy and to affect users’ systems without their knowledge. Current ZBOT variants use fixed file names (both for their executable and component files). The file names may vary from one ZBOT version but they are recognized by security analysts. This is not the case for the new ZBOT variants seen above. Instead of using prespecified names, both TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ use random names for the files and directories they create. In addition, ZBOT now injects its code into the Explorer process, something that previous variants did not do. Both of these attempts by cybercriminals to lessen the profile of ZBOT are in response to the malware family’s notoriety, which means that ZBOT malware are now becoming somewhat easier to detect. The under-the-hood changes to the ZBOT variants are, if anything, more significant. These new ZBOT variants inject themselves into the following processes:
* ctfmon.exe
* explorer.exe
* rdpclip.exe
* taskeng.exe <<
* taskhost.exe <<
* wscntfy.exe
From this list, we can see that the new ZBOT version now “features” support for both Windows Vista and Windows 7. Taskeng.exe and Taskhost.exe are processes both found in Windows Vista and Windows 7 though neither were found in older versions such as Windows XP..."

[AplusWebMaster]

FYI...

ZeuS/ZBOT tries out file infection
- http://blog.trendmic...file-infection/
Apr. 27, 2010 - "ZeuS/ZBOT is best known for its information-stealing routines via the use of configuration files downloaded from their home sites... Cybercriminals have thus tried utilizing drive-by downloads, spammed messages, worm propagation, and many more ways. This time, they are trying out file infection. The malware detected by Trend Micro as PE_ZBOT.A injects code into target files and modifies its entry point to redirect to its code. This allows the malware to run its code whenever the infected file is executed. It then attempts to connect to the remote sites from which it downloads and executes malicious files that allow it to steal information from an affected system. The downloaded files are detected as TROJ_KRAP.SMDA and TSPY_ZBOT.SMAP. Once it completes its routine, it returns control of the affected system to its host file. This only shows that cybercriminals are continuously finding new ways to make sure they do not go out of business. The best way to protect one’s system is to be aware of the many techniques cybercriminals use and to keep security solutions and other pertinent applications patched and up-to-date."

[AplusWebMaster]

FYI...

Storm botnet 2.0...
- http://www.theregist...botnet_returns/
27 April 2010 - "After blowing itself out 18 months ago, the notorious Storm botnet is back, researchers from CA said Tuesday. Storm - once responsible for churning out 20 percent of the world's spam - started to peter out in September 2007, when Microsoft targeted it through the Malicious Software Removal Tool. Some 274,372 demonized PCs were exorcised during the first month alone... CA has identified three varients of Storm that at time of writing were detected by 26, 25 and 24 of the top 41 anti-virus products. CA's writeup is here*."
- http://www.virustota...220a-1272369992
File asam.exe received on 2010.04.27 12:06:32 (UTC)
Result: 26/40 (65.00%)
- http://www.virustota...2a44-1271938070
File asam.exe.000 received on 2010.04.22 12:07:50 (UTC)
Result: 25/40 (62.50%)
- http://www.virustota...737d-1272328532
File asam.exe received on 2010.04.27 00:35:32 (UTC)
Result: 24/40 (60.00%)

* http://community.ca....storm-worm.aspx
April 26 2010 - "... beware of these kind of spam emails... spam-generating campaign distributes the following:
* Bogus Online Pharmacy Spam Emails
* Impotency related Spam Emails
* Adult Dating Spam Emails
* Celebrity Scandals Spam Emails..."

- http://krebsonsecuri...ges-a-comeback/
April 28, 2010

- http://sunbeltblog.b...-ba-a-a-ck.html
April 28, 2010 - "... the new botware uses the same configuration file (C:\WINDOWS\herjek.config) as Storm... new version, however uses an HTTP-based command-and-control channel instead of peer-to-peer..."

Edited by AplusWebMaster, 28 April 2010 - 05:04 PM.