51 replies to this topic

[AplusWebMaster]

FYI...

Koobface on Facebook - report
- http://krebsonsecuri...-and-partnerka/
November 12, 2010 - "... detailed analysis (PDF)* of “Koobface,” a huge network of hacked computers that are compromised mostly by social engineering scams spread among users of Facebook.com (Koobface is an anagram of “Facebook”). As the report describes in great detail, the Koobface infrastructure is a crime machine fed by cyber criminal gangs tied to a variety of moneymaking schemes involving Web browser search hijacking and the installation of rogue anti-virus software. This report traces the trail of Koobface activity back through payments made to top criminal partners — known as Partnerka (PDF)** — a mix of private and semi-public affiliate groups that form to facilitate coordinated malware propagation... The report lists the nicknames of top Koobface affiliates, showing the earnings for each over the past year and the Web addresses of their associated affiliate programs***. This is the kind of intelligence that — if shared broadly — has the potential to massively disrupt large scale criminal operations, because cybercrime researchers can use it to make sense of seemingly disparate pieces of information about criminal actors and groups... efforts to disconnect the physical and network control infrastructure... against Koobface is in the works... Stay tuned."
* http://www.infowar-m...wm-koobface.pdf

** http://www.sophos.co...b2009-paper.pdf

*** http://krebsonsecuri...baffiliates.jpg

**** http://www.mcafee.co...o_the_enemy.pdf

Edited by AplusWebMaster, 12 November 2010 - 08:24 PM.

[AplusWebMaster]

FYI...

Koobface take down...
- http://www.pcworld.c...ce_servers.html
Nov 13, 2010 - "Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet. Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline... Coreix took down the servers after researchers contacted U.K. law enforcement... The takedown will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers - typically Web servers that have had their FTP credentials compromised - that then -redirect- them to the now-downed command and control servers. Friday's takedown is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they've also tipped off Facebook and Google to hundreds of thousands of Koobface-operated accounts. The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn -redirect- them to Web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface. Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer... The gang's creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims' search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims' PCs. Almost exactly half of Koobface's income - just over $1 million - came from the fake antivirus software. The other half came from online advertising fees... They have identified 20,000 -fake- Facebook accounts; 500,000 -fake- Gmail and Blogspot accounts, and thousands of compromised FTP accounts used by the gang..."

- http://www.theregist...face_take_down/
15 November 2010

Edited by AplusWebMaster, 15 November 2010 - 07:02 AM.

[AplusWebMaster]

FYI...

SpyEye - more than 270,000 infections
- http://labs.m86secur...ng-battlefield/
November 15, 2010 - "... A few months ago, the M86 Security Lab team discovered another SpyEye C&C server targeting one of the largest American banks. As part of the internal M86 disclosure policy, we contacted the bank to provide the detailed information we had discovered... In this particular case of malicious activity, the SpyEye Trojan’s “install base” included more than 270,000 infections. The bank eventually confirmed that more than 200 bank accounts had been compromised... Based on several recent cases, I can verify that the banks have begun to take this information much more seriously. First, they’ve educated themselves on banking Trojans - a refreshing change. Second, they are ready to co-operate and convey a willingness to further investigate the information provided. For example, the SpyEye case mentioned above, was a process that took less than a month with the bank. At the conclusion of the case, we received complementary information that was confirmed by the bank. Without the pretense for accurate statistics, the behavioral changes of the banks is significant, and is a result of the losses the banks suffered, and continue to suffer, as result of this new type of Banker Trojans activity. Success of Zeus and SpyEye have caused numerous copycats to appear, such as the new Bugat, Carberp, and latest Feodo Trojans. The war that the banks were engaged in at the birth of Cybercrime has become increasingly sophisticated. Given the new battle landscape, banks have begun to re-group their efforts in fighting back."

- http://www.mcafee.co...s_report_en.pdf
2010-Q3 report pg. 5 - "...we see on average about 6,000,000 new botnet infections per month..."

Edited by AplusWebMaster, 16 November 2010 - 12:29 PM.

[AplusWebMaster]

FYI...

Kroxxu botnet infects 100K domains...
- http://www.avast.com...t-a-money-trail
November 18, 2010 - "... During the last twelve months, avast! Virus Lab researchers have covered the steady growth and structure of the Kroxxu bot network, an innovative self-generating network of password-stealing malware. This extensive botnet has around 100 thousand infected domains and has likely infected more than 1 million users around the world... Kroxxu is focused exclusively on stealing FTP passwords. Unlike its predessor Gumblar and the traditional botnet, Kroxxu’s expansion is completely based on infected websites – not individual PCs. Stolen passwords enable Kroxxu’s owners add a simple script tag to the original website content, making it possible to upload and modify files on infected servers and spread the net to other servers around the globe. If stacked up in a layered pyramid structure, avast! Virus Lab estimates that the Kroxxu zombie network includes over 10,000 redirectors, 2,500 PHP redirectors, and an additional 700 plus malware distribution sites located worldwide, randomly connected and controlled from places hidden behind collectors. Redirection is central to Kroxxu’s ability to hide itself. The longest active connection found so far used 15 redirectors, passing the unsuspecting visitor through seven countries in three continents to the infectious exploits... 985 PHP redirectors and 336 malware distributors placed in the infected sites had survived more than three months without any attention from the side of the site owners or administrators. It seems that most administrators are ignoring or – more likely – absolutely unaware of the infection. Only the administrator or the owner of the hacked website is able to legally get rid of the infection..."
(More detail at the URL above.)

[AplusWebMaster]

FYI...

'Darkness' DDoS Bot
- http://www.shadowser...lendar/20101205
December 05, 2010 - "... new DDoS bot that has been quite active over the past few weeks targeting a fairly large variety of websites... this is not the usual prolific BlackEnergy botnet, but a botnet called “Destination Darkness Outlaw System”(D.D.O.S), aka “Darkness”. As with BlackEnergy, “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does. This particular version of “Darkness” is using the domains greatfull-toolss .ru and greatfull .ru for its command and control (C&C)... a third domain, hellcomeback .ru, was also utilized but is no longer available now. Since November 12 of this year, we have seen over 100 different hosts targeted by 'greatfull .ru'. Initially, the botnet's attacks seem localized and against various MU Online gaming sites, but eventually, it was seen targeting more high profile sites in the financial, insurance, cosmetics, clothing, accessories, and gifts industries.
The C&C - greatfull .ru and greatfull-toolss .ru are currently being hosted on 91.212.124.35 which is: AS49089 - UA-DC / Nikultsev Aleksandr Nikolaevich. AS49089 is a small provider that only seems to be announcing the /24 netblock 91.212.124.0/24 ... It has a single upstream which is AS49211 - SAASUA-AS SAAS Technologies Ltd. The current AS path is seen as: AS4777 > AS2516* > AS174 > AS42590 > AS49211 > AS49089 ...
Additional Observations - The hellcomeback .ru domain was registered on 10/10/2010. The greatfull .ru and greatfull-toolss .ru domains were registered on 11/3/2010. Having a three-headed C&C domain structure for this DDoS bot enables it to remain functional despite a takedown of any single domain or provider. It also allows for some additional correlation of the botnet operator to forum posts, ads, registrations, etc... Shadowserver continues to track 'greatfull .ru' and other 'Darkness' DdoS bots. We are also notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."
(More detail and graphics available at the Shadowserver URL above.)

* http://www.google.co...ic?site=AS:2516

- http://www.google.co...tic?site=AS:174

- http://www.google.co...c?site=AS:49089

- http://www.theregist...arkness_botnet/
7 December 2010

Edited by AplusWebMaster, 08 December 2010 - 06:31 AM.

[AplusWebMaster]

FYI...

Bredolab botnet/trojan ...review
- http://labs.m86secur...malware-review/
December 23, 2010 - "Two months ago the Authorities in the Netherlands announced a massive botnet takedown of Bredolab Trojan*. However, Bredolab Trojan is still spreading malware on user’s machines... Once the malware is executed, it copies itself to a temp folder and injects code into “svchost.exe” process. It then generates a key and sends basic information... The bot wraps up the data and sends it to the command and control server... Bredolab (unlike the Zeus Trojan) doesn’t have local configuration files pre-generated by the malware operator. The Trojan operates like a Trojan Dropper; it receives the malware, saves it on the hard disk or in the memory according to the Trojan operator, and then loads it... Once the malware is successfully installed on the victims’ machine, it becomes much more complicated for AV companies to detect any activity committed by Bredolab Trojan. Looking closely at the traffic sent from the server to the victim shows how the downloaded executable is encrypted in a unique way for -each- machine, rendering AV pattern detection useless... even though instances of Bredolab Trojan still can be found in the wild and used by cybercriminals, it is expected that it will gradually decrease over time*."
* http://www.securelis...Bredolab_Botnet

[AplusWebMaster]

FYI...

Botnet for the Holidays... Storm 3.0?
- http://www.shadowser...lendar/20101230
30 December 2010 - "... we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years. However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0. There are no real version numbers of course, but we don't have anything else to call it yet. What's it involve you ask? Well here's the list of what we've seen so far:
• Large scale Spam campaigns sending out e-mails with links
• New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
• Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
• Links are also directly to new malicious domains
• Malicious domains hosting links to fake flash player and refreshes to exploit pages
• Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
• Malware that's been updated to look a bit more like legitimate than past variants
• A very buggy network that is not often available (upstream devices not available)
• Changing/Updated binaries ...
Below you'll find a list of subjects we've seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.
Greeting for you!
Greeting you with heartiest New Year wishes
Greetings to You
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Have a happy and colorful New Year!
l want to share Greeting with you (Shadowserver note: the first letter is an L)
New Year 2011 greetings for you
You have a greeting card
You have a New Year Greeting!
You have received a greetings card
You've got a Happy New Year Greeting Card!...
We have not done any analysis to see if there are actually any pieces of the code that were directly taken or updated from the Storm Worm or Waledac code. However, whether or not the code is the same or not, this appears to be the next generation of Storm Worm and Waledac. We are just saying it could be Storm Worm 3.0, at least until someone gives it a better name."

- http://www.shadowser.../mail-honda.png

- http://www.shadowser...r/mail-flux.png

- http://www.shadowser...dar/website.png
___

> http://atlas.arbor.n...ummary/fastflux

Edited by AplusWebMaster, 30 December 2010 - 08:33 PM.