51 replies to this topic

[AplusWebMaster]

FYI...

Botnets battle for digital real estate
- http://www.fortinet....ses/100503.html
May 3, 2010 - "... April 2010 Threatscape report* showed high activity from multiple botnets, namely Gumblar and Sasfis. While Gumblar remained in the No. 1 position in Fortinet's Top 10 Network Attacks list, the Sasfis botnet ranking was bolstered by two of its executables prevalent in Fortinet's Antivirus Top 10 listing. Like Bredolab, Sasfis is a botnet loader that reports statistics and retrieves/executes files upon check-in. However, Sasfis differs since it is newer and does not employ encryption (all communications are sent through HTTP unencrypted). Nonetheless, Sasfis continues to spread aggressively and typically loads banking trojans among other malicious files... Additional key threat activities for the month of April include:
• Microsoft vulnerabilities...
• Adobe Acrobat vulnerabilities...
• Ransomware and Scareware still top virus detection...
• Cutwail spambot leveraged for money mule recruitment..."

* http://www.fortiguar...april_2010.html

[AplusWebMaster]

FYI...

SPAM botnet activity - last week
- http://www.m86securi...trace.1316~.asp
May 5, 2010 - "... Other than Mega-D and Maazben which exclusively spam out links to Canadian Pharmacy and Casino websites respectively, the top spam botnets promote a range of brands. This could either be because the botnet controllers belong to multiple affiliate programs or because they rent out spamming capacity to different people who are affiliates trying to promote their chosen brand... top six affiliate brands, promoted in 90 percent of spam in the last week, was sent by the top spam botnets. Some of the botnets involved in sending this stuff have a huge amount of spamming capacity, like Rustock which is currently sending around 40 percent of the spam we see. As such, botnet operators have the ability to greatly influence the market shares of affiliate programs simply by changing their spam templates..."

(Charted/available at the URL above.)

[AplusWebMaster]

FYI...

Zbot/ZeuS - cybercriminals on the offensive
- http://www.securelis...tation_begins#2
29 Apr 2010 Kaspersky Lab - "... More and more frequently these days, we hear about successful attacks perpetrated by the cybercriminals against the clients of financial organizations... One recent classic example comes from the Zbot-toolkit family, which is also known as ZeuS... widespread geographic diversity ensures the longevity of the botnet. As recent practice has shown, the botnet cannot be destroyed by merely closing down a few of the hosting sites. On 9 March... ZeuS Tracker noticed an abrupt decrease in the number of control centers and saw that it correlated with the disconnection of an Internet Service Provider by the name of Troyak... Troyak found a new teleservices provider and by 13 March the number of control centers had increased to more than 700 again... These botnets act as greenhouses for the propagation of financial malware. It is with this kind of malware that the cybercriminals steal users’ money most readily, and they are constantly finding new victims. The numbers clearly show an increase in the quantity of malicious programs targeting the clients of banks and other financial organizations over the past few years... Without state support very little will ever be accomplished in the fight against cybercrime. The problem will remain unresolved until such times that effective and efficient mechanisms exist for the necessary communication and interaction to take place between the relevant authorities."

(More detail and graphs available at the URL above.)

[AplusWebMaster]

FYI...

Avalanche botnet - TROYAK-AS connection...
- http://ddanchev.blog...-troyak-as.html
May 13, 2010 - "According to the latest APWG Global Phishing Survey*:
'... by mid-2009, phishing was dominated by one player as never before the Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and "crimeware" - malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts. Avalanche was responsible for two-thirds (66%) of all phishing attacks launched in the second half of 2009...'
The Avalanche botnet's ecosystem is described by PhishLabs** as:
'Cutwail aka PushDo is a spamming trojan being used to send out massive amounts of spam with links (or lures) to phishing pages or pages that ask the users to download and run programs. Those programs invariably turn out to be instances of the Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use Zeus Trojans to steal online banking information that are not related to this set of scams. The Avalanche botnet is the middle-step between the spamming botnet and Trojans that steal banking information...'
One of the most notable facts about the botnet, is their persistent interaction with the TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their ZeuS C&Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on each and every of their phishing pages..."
* http://www.antiphish...rvey_2H2009.pdf
** http://www.phishlabs.com/blog/ - http://www.phishlabs...og/archives/176

(More detail and info available at the //ddanchev URL above.)

- http://www.theregist...ishing_attacks/
13 May 2010

- http://sunbeltblog.b...-thirds-of.html
May 14, 2010

Edited by AplusWebMaster, 14 May 2010 - 10:43 AM.

[AplusWebMaster]

FYI...

Asprox Spambot resurrects
- http://www.m86securi...trace.1345~.asp
June 5, 2010 - "... on the first day of June, the spamming resumed - this time focused on pharmaceutical campaigns. With the help of Pushdo and Bredolab downloader, it seems Asprox has risen from the dead to build another spamming bot network... analysis also highlights the intricate relationships between individual malware components, and hint at a common gang behind it all."

(Screenshots and more detail available at the URL above.)

[AplusWebMaster]

FYI...

SSH brute force attempts on the rise again...
- http://isc.sans.edu/...ml?storyid=9031
Last Updated: 2010-06-18 12:32:51 UTC - "SSH brute force attempts seem to be on the rise again, at the SANS Internet Storm Center we have received a number of reports that a number of networks are seeing them. The source IP addresses vary with each new attempted username in the wordlist, which would indicate that the attempts are distributed through botnet(s). It only takes a single user with a weak password for a breach to occur, then with that foothold escalation and further attacks are likely next...
Reader xemaps wrote in with this log snippet:
"Whole day my server has been targeted by a botnet, attacker also changed ip each new dictionary user."
Jun 17 23:02:03 pro sshd[17444]: Invalid user mailer from 217.37.x.x
Jun 17 23:03:24 pro sshd[17460]: Invalid user mailer from 87.66.x.x
Jun 17 23:05:27 pro sshd[17617]: Invalid user mailman from 89.97.x.x
Jun 17 23:09:30 pro sshd[17639]: Invalid user mailtest from 62.2.x.x
Jun 17 23:15:44 pro sshd[17894]: Invalid user maker from 83.236.x.x
Jun 17 23:16:47 pro sshd[17925]: Invalid user mama from 84.73.x.x
Reader Ingvar wrote in with a similar pattern:
"On my home system I have seen these login attempts that start with user "aaa" and goes on alphabetically from over 1000 different hosts around the world (judging from the DenyHosts reports). Normally I only see single-digit attempts per day."
Jun 17 02:14:56 MyHost sshd[808]: error: PAM: authentication error for illegal user aaa from 151.100.x.x
Jun 17 02:23:11 MyHost sshd[870]: error: PAM: authentication error for illegal user aabakken from 150.254.x.x
Jun 17 02:24:57 MyHost sshd[875]: error: PAM: authentication error for illegal user aapo from 173.33.x.x
Jun 17 02:35:23 MyHost sshd[885]: error: PAM: authentication error for illegal user abakus from 121.160.x.x
Jun 17 02:37:32 MyHost sshd[895]: error: PAM: authentication error for illegal user abas from 190.200.x.x
Jun 17 02:38:18 MyHost sshd[900]: error: PAM: authentication error for illegal user abc from 193.251.x.x

Last year ISC Handler Rick wrote up a diary* for Cyber Security Awareness Month - Day 17 - Port 22/SSH about SSH brute force attempts and some safeguards that can be implemented. Here is a brief summary:
• Deploy the SSH server on a port other than 22/TCP
• Deploy one of the SSH brute force prevention tools
• Disallow remote root logins
• Set PasswordAuthentication to "no" and use keys
• If you must use passwords, ensure that they are all complex
• Use AllowGroups to limit access to a specific group of users
• Use as a chroot jail for SSH if possible
• Limit the IP ranges that can connect to SSH ..."

* http://isc.sans.edu/...ml?storyid=7369

- http://isc.sans.edu/port.html?port=22

MORE INFO...
- http://isc.sans.edu/...ml?storyid=9034
Last Updated: 2010-06-18 17:05:49 UTC

Edited by AplusWebMaster, 18 June 2010 - 12:54 PM.

[AplusWebMaster]

FYI...

(More) Asprox SQL injection attacks
- http://www.m86securi...trace.1366~.asp
June 23, 2010 - "... we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks. As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART .RU
HYPERVMSYS .RU
ML63AMGSTART .RU
These domains resolve to Asprox's control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites. When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks... The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search more potential targets... So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection..."

[AplusWebMaster]

FYI...

Botnet has offspring...
- http://www.theregist...net_resurgence/
29 June 2010 - "The Kraken botnet, believed by many to be the single biggest zombie network until it was dismantled last year, is staging a comeback that has claimed almost 320,000 PCs, a security researcher said. Since April, this son-of-Kraken botnet has infected an estimated 318,058 machines - about half as big as the original Kraken was at its height in the middle of 2008, according to Paul Royal, a research scientist at the Georgia Tech Information Security Center. Like its predecessor, the new botnet is a prodigious generator of spam, with a single machine with average bandwidth able to send more than 600,000 junk mails per hour... To evade detection, they use as many as 1,200 unique malware variants. One widely used strain was flagged by just 50 per cent of AV last week, according to this VirusTotal analysis*... The latest Kraken uses domain names offered by dynamic DNS services to corral its bots into command and control channels. Because the addresses are extensions of legitimate domain names, it prevents them from being shut down by registrars..."
* http://www.virustota...337c-1277172595
File 07d2421a836b3e943d75917a69bd98ae received on 2010.06.22 02:09:55 (UTC)
Result: 21/41 (51.22%)

[AplusWebMaster]

FYI...

Zeus trojan regionally-targeted...
- http://www.theregist..._trojan_threat/
1 July 2010 - "Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences. Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud. Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US. The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems..."

More Zeus...
- http://blog.trendmic...-russian-banks/
July 5, 2010 - "... this specific sample targeted several banks around the globe, including Russian banks... This ZeuS/ZBOT sample also targeted banks found in Germany, the United States, the United Kingdom, Poland, the Netherlands, Italy, Spain, France, Belarus, Bulgaria, Australia, Ireland, the United Arab Emirates, Turkey, and New Zealand..."

Edited by AplusWebMaster, 07 July 2010 - 05:36 AM.

[AplusWebMaster]

FYI...

Botnet size and Lies, dayam Lies...
- http://www.shadowser...lendar/20100705
July 05, 2010 - "... If one looks at the targets of online crime, it's hard to draw trends but we can make a few educated guesses. In general, they're targets of opportunity. These days, large companies and financial institutions are actually a reasonably high bar for your average online criminal. Reading reports by Brian Krebs*, the majority of known and reported business victims of online theft are on the smaller side. There's two reasons for this:
1) they tend not to view information security as a high priority, thus making them easier targets and
2) there's more of them and they simply get caught up in widespread mass campaigns.
Don't get caught up in "which is the biggest botnet". Worry about how the botnet is being used. Worry that it's being used to steal money from mom and pop companies who don't stand a chance."

(Charts and more detail available at the Shadowserver URL above.)

* http://krebsonsecuri...mallbizvictims/

[AplusWebMaster]

FYI...

GootKit - site infections
- http://www.m86securi...trace.1368~.asp
June 30, 2010 - "... attackers do not infect hundreds of web pages by hand, they use a script or a botnet to do the work for them. Some examples of this are Asprox and Gumblar, which are known for doing mass web site infections, Asprox via SQL injection and Gumblar by using stolen FTP credentials. One other such bot is known as GootKit. We came across this bot when in was installed on one of our test machines by a malicious downloader, along with a host of other malware. Most of Gootkit’s functions are implemented in scripts that are downloaded as tasks from a control server... We are unsure exactly how the control server obtained all of the FTP credentials, but most often these are stolen via keyloggers and information stealing malware installed on a website administrators PC. Gootkit is another example that highlights the highly automated systems that attackers are using to infect web pages en masse. These systems are underpinned and driven by botnets, which give the scalability and anonymity that the cybercriminals desire."

[AplusWebMaster]

FYI...

Zeus v3 in the wild...
- http://www.theregist...eus_goes_local/
13 July 2010 - "Hackers have created a new version of the Zeus crimeware toolkit that's designed to swipe bank login details of Spanish, German, UK and US banks. The malware payload, described by CA as Zeus version 3, is far more selective in the banks it targets. Previous versions targeted financial institutions around the world while the latest variant comes in two flavours: one that only target banks in Spain and Germany, and a second that only targets financial institutions in the UK and US. In addition the latest version of Zeus contains features that makes it far harder for security researchers to figure out what the malware is doing. Zombie drones on the Zeus botnet operate on a need to know basis, CA explains*... Command and control systems associated with the bot are "mostly hosted in Russia", according to CA..."
* http://community.ca....-usa-banks.aspx

[AplusWebMaster]

FYI...

Rustock botnet - SPAMbot...
- http://www.m86securi...trace.1362~.asp
July 23, 2010 - "... Over the last six months, the proportion of Rustock spam in our spam traps peaked to nearly 60% and it has never returned to levels lower than 20% of total spam... Over time, we have observed regular updates to Rustock. There is no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix... In our lab, we observed the Virut, Bredolab and Harnig downloader Trojans as key distributors of Rustock. These malware downloaders use a drive-by download website or spam as an infection vector. These downloaders are capable of installing multiple types of malicious programs on the infected host and one of these is a downloader agent that installs the Rustock spambot driver... Rustock is purely a spambot - no other malicious activity was observed during our analysis. The malware is updated frequently, and new features added regularly. The operation behind it focuses almost purely on Canadian Pharmacy spam campaigns. However the volume of spam this botnet operation generates is tremendous. With a staggering spam "market share" percentage, this botnet should not be taken for granted and deserves closer scrutiny."

[AplusWebMaster]

FYI...

Mumba botnet campaign
- http://www.theinquir...ds-mumba-botnet
Aug 02 2010 - "... the Mumba botnet malware has infected 55,000 PCs around the world. Apparently the botnet has been responsible for stealing up to 60GB of personal data. The compromised data includes bank account details and credit card numbers. The US has suffered the lion's share of the hack with 33 per cent of infected systems, Germany comes in second with 17 per cent, Spain has 7 per cent and the UK 6 per cent while Mexico and Canada each have 5 per cent... the hackers specifically targeted the US in the malware attacks, possibly because it's a bigger target. The Mumba botnet was developed by the Avalanche Group to maximise the number of malware attacks and it uses the latest version of Zeus...."

- http://www.theregist...et_infiltrated/
2 August 2010

Edited by AplusWebMaster, 03 August 2010 - 03:16 AM.

[AplusWebMaster]

FYI...

Zeus2 botnet takedown in UK...
- http://www.theregist..._pwns_brit_pcs/
4 August 2010 - "Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers. Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data - including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks - from compromised Windows systems. Trusteer researchers identified the botnet's drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police... The original attack was probably seeded by a combination of infected email attachments and drive-by downloads, according to Amit Klein, Trusteer's chief technology officer. The Windows-based malware used to control zombie clients was a variant of the infamous Zeus cybercrime toolkit, a customisable Trojan keylogger and botnet-control client sold through underground forums that's become the sawn-off shotgun of the cybercrime economy over recent years..."
- http://www.trusteer....n-the-news/2010