51 replies to this topic

[AplusWebMaster]

FYI...

Conficker -still- 6 million strong...
- http://www.theregist...icker_analysis/
5 August 2010 - "The unknown crooks behind the infamous Conficker worm may be quietly selling off parts of the huge botnet established by the malware, but virus fighters have no way of knowing because the cryptographic defences of its command and control network have proved uncrackable... The Conficker Working Group* constantly monitors the IP addresses of infected machines as they check into sink holes. Many enterprises associated with infections drop off the radar only to return days or weeks later, probably as the result of the application of infected backups that have not been purged of malware. Utilities such as Microsoft's Malicious Software Removal Tool, effective in cleaning up other infections, have proved ineffective against Conficker because software security updates get disabled on compromised machines..."
* http://www.conficker...fectionTracking

Conficker Eye Chart
- http://www.conficker...cfeyechart.html

Edited by AplusWebMaster, 10 August 2010 - 07:26 AM.

[AplusWebMaster]

FYI...

Zeus botnet raid on UK bank accounts...
- http://sunbeltblog.b...et-raid-on.html
August 11, 2010 - "The well-read UK security news site The Register is carrying a story detailing how the operators of the Zeus botnet planted their sophisticated malware on thousands of UK bank customers’ computers, stole log-in information then raided the accounts for more than $1 million with the help of money mules. Bradley Anstis, vice president of technical strategy for M86 Security, which discovered the attack several weeks ago, told The Register that his company is providing information to the bank involved as well as law enforcement officials. He said the M86 identified the botnet a command and control server - hosted in Moldova - and downloaded log files from it. “It also found that the exploit pack used to seed the attack had claimed a much larger number of victims - as many as 300,000 machines. The vast majority were Windows boxes, but 4,000 Mac machines were also hit. The logs also revealed that 3,000 online banking accounts had been victimised between 5 July and 4 August alone,” The Register* said..."
* http://www.theregist...rscam_analysis/

- http://www.m86securi...trace.1431~.asp
August 10, 2010 - "... new Zeus v3 Trojan"

- http://www.m86securi...trace.1433~.asp
Last Reviewed: August 13, 2010 - "... to clarify our recent paper does -not- report on any ZeuS infections of computers running the Mac OS."

Edited by AplusWebMaster, 13 August 2010 - 01:24 PM.

[AplusWebMaster]

FYI...

Botnet floods net with SSH attacks
- http://www.theregist...r_based_botnet/
Updated - 12 August 2010 - "A server-based botnet that preys on insecure websites is flooding the net with attacks that attempt to guess the login credentials for secure shells protecting Linux boxes, routers, and other network devices. According to multiple security blogs, the bot compromises websites running outdated versions of phpMyAdmin. By exploiting a vulnerability patched in April*, the bot installs a file called dd_ssh, which trawls the net for devices protected by the SSH protocol... In addition to posing a threat to unpatched websites and SSH-protected devices, the attacks are also creating headaches for large numbers of non-vulnerable sites... this SANS Diary post** reports having success in warding off the attacks with DenyHosts***, an open source script that pools IP blacklists from more than 70,000 users. A better countermeasure still is to configure SSH devices to use a cryptographic key, something that is orders of magnitude harder to brute-force than a simple password..."

* http://www.debian.or...y/2010/dsa-2034

** http://isc.sans.edu/...ml?storyid=9370
Last Updated: 2010-08-12 09:31:57 UTC ...(Version: 5)

*** http://denyhosts.sourceforge.net/
___

- http://www.theregist...attacks_return/
Posted in Spam, 13 August 2010 - "Updated Update: Trend Labs has reclassified the malware as a Bredolab variant instead of Waledac. That means the central premise of out original story - that Waladec - is back from the grave - is wrong...
Attacks designed to draft new recruits into the infamous Waledac spambot network are back from the dead, months after the zombie network was effectively decapitated... The Microsoft-led operation was rightly hailed as a big success but did nothing to clean up an estimated 90,000 infected bot clients even though it stemmed the tide of spam from these machines. Left without spam templates or instructions, these machines have remained dormant for months. However, over recent weeks, the botnet is making a comeback of sorts. Spammed messages containing malicious attachment harbouring Waladec agents and disguised as tax invoices or job offers and the like have begun appearing, Trend Micro warns*. The same run of spam messages is also being used to spread fake anti-virus and other scams unrelated to Waledac, and there's no sign that a new command and control structure, much less a fresh round of spamming, has begun..."
* http://blog.trendmic...ous-attachments
UPDATE: Following deeper analysis of this threat by senior threat researchers, TrendLabs has reclassified the malware used in this attack as a BREDOLAB variant (detected as TROJ_BREDOLAB.JA) instead of WALEDAC. An unfortunate combination of human and machine errors led to the mislabeling of this threat as WALEDAC. Apologies for the confusion...
Aug. 12, 2010 - "... In the past few weeks, there has been something of an increase in the number of spammed messages delivering malicious attachments to users..."

Edited by AplusWebMaster, 13 August 2010 - 02:14 PM.

[AplusWebMaster]

FYI...

Pushdo botnet pushing SPAM w/malware
- http://www.m86securi...trace.1486~.asp
Last Reviewed: August 18, 2010 - "... We are currently seeing increased levels of spam-borne malware. Our figures over the last three months show an increasing trend in the proportion of malicious spam. In the week ending 8 August, this figure spiked to over 6% of spam, or in other words, 6 out of every 100 spam messages... The vast majority of it can be traced back to one spam botnet family – Pushdo (or Cutwail). This botnet is a prolific and multi-faceted spammer, and has historically been very active in malicious spam campaigns. Every day we observe it spamming out emails with malicious attachments, or, less often, with URL links to malicious web pages... The actual malware also changes often. Depending on the anti-virus vendor, many different names are assigned to these downloaders, including Bredolab, Oficla, and Sasfis to name just a few. In a sense, the name is unimportant. The job of the downloader is to reach out to the web to download and install more malware. Most commonly, we see fake AV, spambots and data stealers like Zbot being downloaded and installed in this second stage of infection... The gang behind Pushdo have this system down to a fine art. Our guess is that they are affiliated to one or more pay-per-install schemes, where they get rewarded for each successful install of the different types of malware they spread around."

(Screenshots and more detail available at the URL above.)

[AplusWebMaster]

FYI...

Pushdo Botnet crippled
- http://labs.m86secur...ambot-crippled/
August 27, 2010 - "This morning we noticed that the usual torrent of spam from the Pushdo (or Cutwail) botnet had turned into a dribble... It turns out that the folks at TLLOD* have been busy analyzing Pushdo command and control servers, and coordinating their take down. According to their blog*, over 30 Pushdo control servers were identified and 20 were taken down with the help of the relevant hosting providers. However, there still remains a few active control servers still serving up spamming data... this coordinated takedown has had an immediate impact on Pushdo’s spam output. This is welcome news indeed, especially as Pushdo has been responsible for wave after wave of malicious spam campaigns in recent months. Still, we must sound a note of caution. Previous experience has taught us that these botnet take downs are short lived. Disabling control servers does not incapacitate the people behind the botnet. It is highly likely they’ll be back before long with new control servers, and bots to do their spamming. In the meantime, we can enjoy a few days with less spam about."
* http://blog.tllod.co...infrastructure/

Pushdo Spam volume graphic
- http://labs.m86secur...ushdo_stats.png

Pushdo Botnet Crippled – II
- http://labs.m86secur...et-crippled-ii/
September 9th, 2010

- http://www.m86securi..._statistics.asp
Statistics for Week ending September 12, 2010

Edited by AplusWebMaster, 13 September 2010 - 04:48 AM.

[AplusWebMaster]

FYI...

Waledac and Operation b49 update...
- http://blogs.technet...nd-waledac.aspx
8 Sep 2010 - "... Microsoft’s Digital Crimes Unit, in partnership with Microsoft’s Trustworthy Computing team and the Microsoft Malware Protection Center, undertook a combination of technical measures and previously untried legal techniques to disrupt and control the Waledac botnet. It was apparent from our own and from independent telemetry that the technical measures were successful, and today we are providing an update on the novel legal aspects of this approach. Our intent with this approach was to both disable the command and control infrastructure of the botnet so that new commands could not be issued to the computers which were still infected with the malware and to maintain that control in the long term while working within the law. To date, we have seen virtually no reemergence of Waledac traffic. This puts the Waledac takedown among a very few successful efforts to shut down a botnet without having it re-emerge... As you may have seen in USA Today* this morning, Judge Anderson has indicated that he recommends that the court grant our request and permanently transfer ownership of the 276 domains used for command and control of the Waledac botnet to Microsoft... Anyone who believes that they may be infected can find support and information and other resources (including no-cost tools to clean the computer) at http://support.microsoft.com/botnets ... Operation b49 is the first initiative in the larger Project MARS (Microsoft Active Response for Security)... more to come. You can read more about today’s news on the Official Microsoft Blog.**"
* http://www.usatoday....nets08_ST_N.htm

** http://blogs.technet...f-a-botnet.aspx

- http://support.micro...u_sc_virsec_b49

[AplusWebMaster]

FYI...

Prolific DDoS Bot targeting many industries
- http://www.shadowser...lendar/20100913
13 September 2010 - "... I've been watching a DDoS group that has been attacking a wide variety of victims in several different countries. This group uses the BlackEnergy botnet to carry out its attacks. The Command and Control servers are using the following domains:
* globdomain.ru
* greenter.ru ...
As of this post, globdomain.ru is on 194.28.112.134 and greenter.ru is on 194.28.112.135. While we don't wish to individually list all the DDoS victims, we do want to break it down by industry and country to give an idea of the breadth of the attacks. Since mid 2010, the DDoS attack victims were distributed among various industries including:
DDoS Industry Victims ...
DDoS Victim Countries ...
Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves."
(More detail at the Shadowserver URL above.)

- http://asert.arborne...-and-elsewhere/
September 13th, 2010 - "... Black Energy botnets..."

Edited by AplusWebMaster, 14 September 2010 - 06:24 AM.

[AplusWebMaster]

FYI...

SpyEye botnet kit...
- http://krebsonsecuri...illing-feature/
September 17, 2010 - "Miscreants who control large groupings of hacked PCs or “botnets” are always looking for ways to better monetize their crime machines, and competition among rival bot developers is leading to devious innovations. The SpyEye botnet kit, for example, now not only allows botnet owners to automate the extraction of credit card and other financial data from infected systems, but it also can be configured to use those credentials to gin up bogus sales at online stores set up by the botmaster... All of the other software sales and distribution systems coded into the SpyEye bot kit are entities operated by Digital River..."

[AplusWebMaster]

FYI...

Botnet and Zeus activities - reduced
- http://hostexploit.c...activities.html
19 September 2010 - "... adverse publicity that followed HostExploit’s report naming Demand Media as #1 ‘Bad Host’ in the world. Swift action appears to have been taken as eNom - Demand Media’s domain Registrar arm - has shown signs of a dramatic reduction in the number of malicious activities hosted. HostExploit is pleased to report that in the past 7 days, well-known botnet command & control (C&C) servers present on eNom-hosted sites have finally been taken offline... We have been monitoring closely the past few weeks for signs of improvement in eNom’s hosting via our malicious host activity tracking tool, SiteVet, which quantifies badness levels into a "HE Index". We began to see signs of some malicious activity dropping off... In particular, C&Cs for the popular Zeus botnet fell to zero... having been as high as 23 in the preceding weeks... FIRE also shows a drop in C&Cs at around the same time..."

- http://asert.arborne...os-bots-avzhan/
Sep. 22, 2010
- http://blog.trendmic...amily-revealed/
Sep. 24, 2010

[AplusWebMaster]

FYI...

Over 2 million botnet U.S. PCs cleaned ...
- http://news.cnet.com...0019602-83.html
October 14, 2010 - "More than 2 million PCs in the U.S., or 5.2 out of every 1,000, were recruited into botnets during the second quarter of 2010, according to a Microsoft report... The company's ninth and latest Security Intelligence Report* tracked the spread of botnets and malware infections detected and removed throughout the world during the first and second quarters of the year. The sheer number of infected PCs found and cleaned up by Microsoft (via MSRT) in the U.S. in the second quarter was the highest in the world. But the percentage of infected PCs was greater elsewhere... Among the botnets that plagued computer users during the second quarter, Win32/Rimecud was the most active, with almost 70 percent more detections than the next most common family of botnets. Rimecud was the main malware family responsible for the Mariposa botnet..."
* http://www.microsoft...ir/default.aspx

Chart:
> http://www.microsoft...tory/fig_14.jpg

Edited by AplusWebMaster, 15 October 2010 - 04:49 AM.

[AplusWebMaster]

FYI...

Botnet superhighway...
- http://blogs.technet...perhighway.aspx
21 Oct 2010 - "... By Q2 of this year, one out of every three infected machines were part of a botnet. So, if you've been hit by any malware recently, there's a 33% chance that it was by a bot, or that a bot was installed on your machine in addition to that malware... Most bot families, including Win32/Alureon, Win32/Hamweq, and Win32/IRCbot, are capable of downloading and executing arbitrary files, which may be configured to be malware. Because the downloaded threat is distinct from the bot itself, removing the threat installed by the bot doesn't stop the damage, because the bot can simply install something new after the other threat was removed... In addition to installing other threats, botnets are known to spread malicious messages via, for example, email and Instant Messaging (IM), including spam and phishing. These messages may also contain a link to a website that hosts malware or that performs a drive-by download... because of their networked and often organized structure, they allow malicious and illegal activities to be performed at a scale that has not been seen before..."
* http://www.microsoft....aspx#section_1

[AplusWebMaster]

FYI...

Bredolab botnet takedown...
- http://www.theregist...otnet_takedown/
26 October 2010 - "Dutch police and net security organisations have teamed up to dismantle many of the command and control servers associated with the Bredolab botnet. The Bredolab Trojan, which has spyware components that allow criminals to capture bank login details and other sensitive information from compromised machines, has infected an estimated 30 million computers worldwide since its emergence in July 2009. Infected machines remain pox-ridden but the command system associated with the cybercrime network has been decapitated, following an operation led by hi-tech police in The Netherlands. The Dutch Forensic Institute NFI, net security firm GOVCERT.NL and the Dutch computer emergency response team assisted in the operation which involved the takedown of 143 servers associated with the botnet..."

[AplusWebMaster]

FYI...

Bredolab... undead
- http://www.theregist...t_death_throes/
29 October 2010 - "... An operation led by the Dutch police led to the takedown of 143 command and control servers associated with the information-stealing botnet, estimated to have infected 30 million computers worldwide... Despite all this, at least two botnet command nodes remain active. The remaining infected nodes that dial into these nodes in Kazakhstan and Russia will be interacted to download a fake anti-virus package called Antivirusplus and distribute spam, respectively. Both domains remain active at the time of writing, although a third command and control node in Russia, which flickered alive earlier this week, appears to have gone inactive. A detailed blog post by net security firm FireEye* concludes that a portion of the Bredolab botnet remains active. It reckons a second group of bot herders are issuing new instructions through various domains to the remaining population of zombie drones in the Bredolab botnet. These cybercrooks are either using leaked copies of Bredolab code to build and maintain their own botnet or they are continuing to use portions of Bredolab that they had previously rented from the primary hacker..."
* http://blog.fireeye....t-not-dead.html

[AplusWebMaster]

FYI...

2Q-2010: Bot infection rates by country/region
- http://www.microsoft...bot-heatmap.png
29 Oct 2010
- http://blogs.technet...nce-report.aspx

Vecebot trojan analysis
- http://www.securewor...hreats/vecebot/
October 28, 2010 - "... Attack data from one of the victims shows the botnet created by Vecebot to be somewhere between 10,000 and 20,000 infected hosts. The distribution by country shows the significant portion of the botnet is comprised of computers within Vietnam* ... The current list of target URIs in the remote configuration file is:
my.opera.com/Ao-Trang-Oi/blog/
vanganhnews.multiply.com/journal/item/{RND 500 550}
www.x-cafevn.org/verification/index_img.php
vnctcmd.wordpress.com/
www.boxitvn.net/bai/{RND 10000 11000}
These sites are all blogs or forums that contain content critical of the Vietnamese Communist Party or recent developments concerning bauxite mining operations being carried out in the country by China... Whatever the circumstances surrounding the creation of Vecebot, it is clear that the purpose of the botnet is to silence critics of the Vietnamese political establishment where their voices might reach beyond the borders of Vietnam."
* http://www.securewor...ot/vecebot1.gif

Edited by AplusWebMaster, 30 October 2010 - 05:19 AM.

[AplusWebMaster]

FYI..

Zeus 2.1 defeats MSRT...
- http://news.techworl...-security-tool/
5 November 10 - "... According to Trusteer, MSRT detected and removed Zeus version 2.0 about 46 percent of the time in its tests, but failed to spot updated versions which are now circulating... Depending on when the test was conducted, it is not surprising that the MSRT does not detect the latest Zeus variants. The software is updated only once per month, which limits its scope compared to rival tools... Trusteer also markets a rival anti-Zeus approach with its free Rapport plug-in*, which sets out to block it through the browser..."
* http://www.trusteer....ownload-rapport