Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93098 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Pandemic of the botnets 2011


  • Please log in to reply
30 replies to this topic

#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 29 November 2011 - 06:05 AM

FYI...

P2P variant of Zeusbot/Spyeye...
- http://www.symantec....t-zeusbotspyeye
Nov. 28, 2011 - "... Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.) To overcome these limitations the attackers have now decided to use P2P. This modified variant of Zeusbot/Spyeye contains a list of IP addresses to contact. These IPs are not servers; they are other infected clients (peers). These clients provide configuration data, which in turn contains the URL of the main C&C server. In this modified way, even if the C&C server is taken down, the P2P network remains alive and can be fuelled with a new configuration file pointing to a new URL for a new C&C server. Can the P2P network be shut down? No (at least, not easily). The IP addresses in the P2P network cannot be blocked because, in most cases, they would be normal broadband IPs (home users and work computers, for instance) and blocking them would disrupt legitimate network traffic. Also, the list of peers can update so frequently that tracking them proves difficult. Using a P2P network this way is more resistant than just a single C&C URL, and can considerably prolong a botnet’s lifetime... We have found several samples in the wild which all seem to originate from a single source... We suspect those responsible for spreading this new variant may have access to the source code and upgraded the bot with all the new features... In total we observed 327 unique peers*, so an estimation of the number of infected machines could be anywhere from 500 to 1000... It has been reported that this threat has been spreading through spam emails and drive-by download exploits, so, in order to mitigate the risk of infection, we recommend users keep their computers updated and beware of email from unknown or unverified sources..."
* http://www.symantec....s/image11_0.png
Infection geographical distribution

:ph34r: <_<

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove

Related Topics



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users