30 replies to this topic

[AplusWebMaster]

FYI...

Waledac wakes up...
- http://community.web...s-of-sleep.aspx
13 Jan 2011 - "... On Tuesday morning a new variant* of Waledac was distributed to members of the botnet. Yesterday it started spamming again, but now it's back to sending pharmaceutical spam promoting "the magic blue pill" which we have seen previous versions of Waledac do in the past. As in previous spam campaigns, the spammers are using redirections via compromised legitimate sites... The new spam campaign doesn't redirect to malicious content, just to spam content but that could change at any point if the people behind Waledac decides to grow the botnet. We have seen hundreds of different subjects being used in this campaign, here are some examples:
Wonderful revealing effect on your libido.
I dream u to be vigorous, dive into u dream this too
The most excellent way to satisfy her
Your gf wants your organ to be the finest worker of the year!
Want to act like a xxxstar? Bang a blu-colored pill!
FDA-approved blue-blu-colored med to heal ED!
She needs YOU to grow your PENI!
Wish to surprise and gratify your lady tonight? ..."
* http://www.virustota...a45e-1294875643
File name: erobyxwugwaugj.exe
Submission date: 2011-01-12 23:40:43 (UTC)
Result: 13/42 (31.0%)
There is a more up-to-date report (21/42) for this file.
- http://www.virustota...a45e-1295079348
File name: 0aae4f7c578bf77f36d12bd353dd3e71
Submission date: 2011-01-15 08:15:48 (UTC)
Result: 21/42 (50.0%)

- http://www.symantec....otnet-back-rise
12 Jan 2011

Distribution of the malware
> http://www.symantec....images/fig3.JPG
___

Waledac... [has stolen] almost 500,000 email passwords ...
- http://forums.whatth...=...st&p=710266
2 February 2011

Edited by AplusWebMaster, 02 February 2011 - 04:18 PM.

[AplusWebMaster]

FYI...

DDoS botnet update - greenter.ru & globdomain.ru
- http://www.shadowser...lendar/20110116
16 January 2011 - "On September 13, 2010, I posted a blog about a very active BlackEnergy DDoS botnet that was attacking a wide variety of victims.
http://www.shadowser...lendar/20100913
Since that post, the Command and Control servers on the greenter.ru and globdomain.ru domains have directed DDoS attacks against approximately 170 different victims. Again, these attacks are across many different industries and target some rather high profile sites. As of 9/13/10, I've seen these controllers use the following hosting providers. The list indicates the date first seen on the provider, the IP address used, the AS number of the provider, and the country of the provider:
greenter.ru hosts
* 08/07/10 - 194.28.112.135 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
* 11/18/10 - 188.95.159.114 - AS51306 - Tavria Host Network - Ukraine
* 11/30/10 - 193.186.9.60 - AS44209 - FINACTIVE - Ukraine
* 1/7/10 - 46.252.129.155 - AS52055 - ReliktBVK - Latvia
globdomain.ru hosts
* 08/07/10 - 194.28.112.134 - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
* 11/23/10 - 188.95.159.115 - AS51306 - Tavria Host Network - UA
* 11/30/10 - 193.186.9.61 - AS44209 - FINACTIVE - UA
* 1/7/10 - 46.252.129.156 - AS52055 - ReliktBVK - LV
As of this post, globdomain.ru is on 46.252.129.156 and greenter.ru is on 46.252.129.155. Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves..."

Darkness DDoS bot version identification guide
- http://www.shadowser...lendar/20110127
27 January 2011

Edited by AplusWebMaster, 28 January 2011 - 08:47 PM.

[AplusWebMaster]

FYI...

Conficker Group... roadmap for stopping worm
- http://www.informati...cleID=229100192
Jan. 25, 2011 - "... On Monday, the Rendon Group released a report*, funded by the Department of Homeland Security, rounding up the 15-person-strong working group's "lessons learned." The report highlighted the group's biggest achievement: "preventing the author of Conficker from gaining control of the botnet." Doing so, however, required coordinating with organizations in more than 100 countries to block the more than 50,000 domains per day generated by the Conficker C worm..."
* http://www.conficker...lendar/20110124
Lessons Learned ...

THANK YOU ...Conficker Group

[AplusWebMaster]

FYI...

SpyEye/ZeuS merger - revisited...
- http://krebsonsecuri...eyezeus-merger/
February 3, 2011 - "... Seculert*, a new threat alert service... includes some screen shots of the administrative panel of SpyZeuS that show the author trying to appeal to 'users' of both Trojans, by allowing 'customers' to control and update their botnets using either the traditional ZeuS or SpyEye Web interface... the author(s) has been adding new features to both the bot and the control panels nearly every day..."
* http://blog.seculert...hydra-head.html

- http://www.pcworld.c...after_zeus.html
Feb 3, 2011
___

- http://www.informati...cleID=229201215
Feb. 4, 2011
- http://www.trusteer....ng-its-progress
Feb. 3, 2011

Edited by AplusWebMaster, 07 February 2011 - 03:59 PM.

[AplusWebMaster]

FYI...

Zbot detections - MSRT
- http://blogs.technet...-with-msrt.aspx
10 Feb 2011 - "... Zbot itself is continually evolving, having undergone many changes in the last year or so, ‘updates’ to the file-based obfuscation, anti-AV defensive techniques, information stealing capabilities, configuration file protection, API hooking, pseudo-random domain generation, process injection and file infection... we can show the telemetry we’ve gathered from the MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features... Of all the changes that Zbot has undergone however, the most significant from an MSRT perspective is the move towards file infection. Since its inception, Zbot has employed process injection targeting multiple processes on the system, the extent of which is governed by the privilege level of the user who unwittingly triggers the infection. (TIP: If you’re going to run an attachment you got from an email or a link, or via Facebook, don’t elevate it to admin via UAC.) In some newer variants of Zbot in the wild, for each infected process it will hook several Windows APIs, modify and infect binary files, and infect files shared in the network. One interesting behavior to note is that the infected process thread will continually monitor and infect other processes... In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs. The API that we are most interested in however is NtCreateFile(), which is invoked upon opening files... Zbot can infect both directly and upon opening files..."

Zbot detections - charted
- http://www.microsoft.../zbotmsrt-1.png
Zbot code injection and hooking process
- http://www.microsoft.../zbotmsrt-2.png

- http://www.darkreadi...le/id/229216691
Feb 10, 2011

- http://www.microsoft...x#section_4_5_1

Edited by AplusWebMaster, 11 February 2011 - 05:12 PM.

[AplusWebMaster]

FYI...

Top 10 botnets - 2010 ...
- http://www.securityw...leased-damballa
Feb 15, 2011 - "Damballa... today released its “Top 10 Botnet Threat Report - 2010”... At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of eight percent per week... Some highlights include:
• Of the Top 10 largest botnets in 2010, six of these botnets did not exist in 2009, and only one (Monkif) was present in the 2009 Top 10 largest botnets.
• The biggest botnet of 2010 (a botnet associated with the TDL Gang)... claiming nearly 15 percent of all unique infected victims in 2010.
• The Top 10 largest botnets in 2010 accounted for approximately 47 percent of all botnet compromised victims...
• ... more than 35 percent of unique IP addresses infected were simultaneously victims of two or more different botnet campaigns...
• ... rapid evolution of many popular botnet do-it-yourself (DIY) construction kits and the increased availability of feature-rich browser exploit packs.
• ... malware distribution services became more proficient at installing bot agents on behalf of their customers (i.e. botnet operators).
• The last quarter of 2010 was heavily influenced by the rapid growth of botnets utilizing the TDL master-boot-record (MBR) rootkit technology...
The full report is available here* (Direct PDF Download)"
* http://www.damballa....nets_Report.pdf
___

- http://www.securewor...mbot-evolution/
15 February 2011

Edited by AplusWebMaster, 17 February 2011 - 02:10 PM.

[AplusWebMaster]

FYI...

Cybercrime costs UK $43B a year
- http://www.reuters.c...E71G35320110217
Feb 17, 2011 - "Cyber crime costs the British economy some 27 billion pounds ($43.5 billion) a year and appears to be "endemic," according to the first official government estimate of the issue published on Thursday. The study by Britain's Office of Cyber Security and Information Assurance concluded digital crime is a growing, widespread problem, and attempts to address it have been hampered by a real lack of understanding and insight. Business is bearing the brunt of the costs at an estimated 21 billion pounds, with the pharmaceutical, biotech, IT, and chemical sectors the worst hit. However, government lost some 2.2 billion pounds and the cost to individual Britons amounted to 3.1 billion pounds, "The Cost of Cyber Crime" report* said. Last year, Britain's National Security Strategy placed cyber attacks as one of the top threats the country faces, along with terrorism, war and natural disasters... The report said 9.2 billion pounds was lost from intellectual property (IP) theft, 7.6 billion from industrial espionage and 2.2 billion from extortion, with large companies being targeted..."
* http://www.cabinetof...-of-cyber-crime

[AplusWebMaster]

FYI...

ZeuS attacks 2-factor...
- http://www.theregist...ication_attack/
22 February 2011 - "A variant of the ZeuS banking trojan is targeting mobile phone users who rely on their handsets to get enhanced, two-factor authentication from ING Bank Slaski in Poland... The ZeuS man-in-the-mobile attacks appear to similar to those that hit Spain in September, researchers from antivirus provider F-Secure said*. Both attacks attempt to steal so-called mTANs, short for mobile transaction authentication numbers, which an increasing number of European banks are using to provide enhanced authentication to online customers. Financial institutions send the one-time passwords in text messages. The secondary passcodes are needed to login to online accounts. The ZeuS Mitmo injects a fraudulent field into webpages that prompts users for their cellphone number and the type of handset they use. The criminals behind the operation then send the user an SMS message containing a link to malware that's customized to their Symbian or Blackberry phone. The malware automatically sends all mTANs sent to the handset to the ZeuS operators..."
* http://www.f-secure....s/00002104.html

[AplusWebMaster]

FYI...

Botnets spew many trojans in February
- http://www.eweek.com...ebruary-553094/
2011-03-04 - "Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren’t far behind, according to several security reports. About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec’s February 2011 MessageLabs Intelligence Report*. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report. There was a lot of botnet activity in February, and the perpetrators appeared to be working together to some extent to distribute Trojans, according to Symantec. There were signs of integration across Zeus, Bredolab and SpyEye, as techniques associated with one malware family were being used by others, Symantec said in the report. The attacks were well-timed and used carefully targeted techniques, suggesting a “common origin” for these infected messages. One day, the messages would be propagating mainly Zeus variants, followed by a day dedicated to distributing SpyEye variants and later with Bredolab, in an alternating pattern, according to Paul Wood, MessageLabs Intelligence senior analyst. By the middle of the month, the variants propagated simultaneously with an advanced package that evaded traditional antivirus detection, he said. All the attacks used a .ZIP archive attachment containing malicious code. About 1.5 percent of blocked malware had malicious .ZIP attachments, and 79.2 percent of those files were connected to the Bredolab, Zeus and SpyEye attacks..."
* http://www.messagela...m/globalthreats

[AplusWebMaster]

FYI...

SpyEye/ZeuS target tracker sites...
- http://krebsonsecuri...-tracker-sites/
March 9, 2011 - "Crooks who create botnets with the help of crimeware kits SpyEye and ZeuS are actively venting their frustration with two Web services that help ISPs and companies block infected machines from communicating with control networks run by these botmasters. The lengths to which established cyber criminals are willing to go to disable and discredit these anti-fraud services provide convincing proof that the services are working as designed, and that the bad guys are suffering financially as a result... A series of discussions on an uber-exclusive Russian language forum that caters to identity and credit card thieves reveal that botmasters are becoming impatient in their search for a solution... Their stated goal? To cause SpyEye Tracker and ZeuS Tracker to flag legitimate sites as hostile, and thereby to lose credibility with ISPs that rely on the trackers... it is clear from these and other threads on this forum that the botmasters will continue devising new methods of disabling the trackers..."
(More detail and screenshots available at URL above.)

Data showing recent traffic spikes from DDoS attacks
- http://krebsonsecuri...spyzeusdns1.jpg

[AplusWebMaster]

FYI...

Skunkx DDoS Bot Analysis
- http://asert.arborne...s-bot-analysis/
March 14th, 2011 - "... appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time. The bot’s capabilities include:
* Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
* Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
* Spread over USB, MSN, YahooMessenger
* “Visit” sites, speedtest
* Download and install, update, and remove arbitrary software
* Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
* Spread as a torrent file
* Steal logins stored in the SQLite DB by Mozilla
We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems... We have also been sinkholing this botnet. Inspection shows hundreds of bots checking in from around the world, with most in the US..."
Map showing botted hosts:
- http://farm6.static....b6c467802_o.png

JKDDOS: DDoS bot...
- http://asert.arborne...ining-industry/
March 8th, 2011 - "... Looking back through our malware zoo, we observed our first JKDDOS sample as early as September 2009. Since then, we have analyzed almost 50 unique JKDDOS samples, the most recent of which we acquired in December 2010. Based on its recent history of attacks, the operators of this family appear to have an axe to grind against several relatively large international holding companies that have connections to the mining industry... The JKDDOS malware is distributed in the form of a relatively small executable that tends to vary widely in size across different samples; we have seen specimens as small as 17,408 bytes and as large as 240,997 bytes. The most common size for a JKDDOS sample is approximately 33.5 KB; recently, the JKDDOS samples we have analyzed have usually been packed whereas earlier samples were not... Once launched, a JKDDOS bot performs a fairly standard installation process. It copies itself into the C:\Windows\System32 directory. In an attempt to be stealthy, it will sometimes name the installed copy of itself so as to appear to be a legitimate system file..."

(More detail at both URLs above.)

[AplusWebMaster]

FYI...

Rustock botnet takedown...
- http://www.theregist...otnet_takedown/
17th March 2011 - "Spam volumes shrank on Wednesday after the prolific Rustock botnet fell silent, reportedly as a result of a takedown action*. Rustock, which is made up of a network of compromised (malware-infected) Windows PCs, turns an illicit income for its unknown controllers by being the biggest single source of global spam... SecureWorks... last month... said the author(s) of Rustock have pioneered a variety of techniques to evade detection on infected machines and to stymie security researchers hoping to unlock the secrets of its day-to-day operations... it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains..."
* http://krebsonsecuri...volumes-plummet
March 16th, 2011 7:05 pm

- http://labs.m86secur...3/rustock-down/
March 16th, 2011 - "... A brief look at at our spam traps today confirmed that output from Rustock did indeed dry up today. The chart below shows an index of daily spam volume changes from Rustock over the last few weeks:
- http://labs.m86secur...RustockSpam.png
... lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again..."
___

Operation b107 - Rustock Botnet Takedown
- http://blogs.technet...t-takedown.aspx
17 Mar 2011 6:47 PM

- http://online.wsj.co...3861008758.html
MARCH 18, 2011 - "... U.S. marshals accompanied employees of Microsoft's digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be "command-and-control" machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines world-wide..."

Edited by AplusWebMaster, 18 March 2011 - 05:45 AM.

[AplusWebMaster]

FYI...

Coreflood botnet takedown ...
- http://news.yahoo.co...ternetcoreflood
April 13, 2011 WASHINGTON (AFP) – "The US authorities have disabled a vast network of virus-infected computers used by cyber criminals to steal passwords and financial information, the Justice Department and FBI announced Wednesday. The "Coreflood" botnet is believed to have operated for nearly a decade and to have infected more than two million computers around the world, they said in a joint statement. The Justice Department and FBI said charges of wire fraud, bank fraud and illegal interception of electronic communications had been filed against 13 suspects identified in court papers only as John Doe 1, John Doe 2, etc. Five computer servers and 29 Internet domain names were seized as part of the operation, described as the "most complete and comprehensive enforcement action ever taken by US authorities to disable an international botnet"... Coreflood, which exploited a vulnerability in computers running Microsoft's Windows operating systems, was used to steal usernames, passwords and other private personal and financial information, US officials said..."
- http://www.justice.g...11-crm-466.html
April 13, 2011 - More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme...

- http://krebsonsecuri...reflood-botnet/
April 14, 2011
- http://www.fbi.gov/c...en-connecticut/
April 13, 2011
___

- http://www.securewor...eats/coreflood/
June 2008

Edited by AplusWebMaster, 24 April 2011 - 10:53 AM.

[AplusWebMaster]

FYI...

RBN IP List... updated
- http://securehomenet...black-hole.html
March 20, 2011
> http://doc.emergingt...BusinessNetwork
26 Apr 2011
> http://doc.emergingt...sNetworkIPs.txt
25 Apr 2011

[AplusWebMaster]

FYI...

Zeus adds Investment Fraud...
- http://www.trusteer....print/node/1533
April 27, 2011 - "We recently discovered and investigated a very interesting new Zeus configuration sample that uses credible looking banner advertisements on major web sites to offer high rate of return investment opportunities. This attack is targeting some of the world’s leading and most trusted websites including: AOL, Amazon, Apple, CNN, Citibank, Forbes, ESPN, and many more. Adding investment fraud to its bag of tricks is a new twist for Zeus. These attacks have only one purpose – to lure users into investing their money through a very convincing and professional looking website, https ://ursinvestment .com, which is a fraud. We traced several examples of this configuration file to attacks on leading websites. In one case, the Zeus mechanism embeds banners on the targeted websites which -redirect- to https ://ursinvestment .com. We were surprised to see how well integrated the banner designs were with the attacked websites... The website is hosted on an IP address (178.18.243.227) that originates from Germany. Huan-jun-net, an unknown network, is responsible for hosting the website..."
(Screenshots and more detail available at the Trusteer URL above.)

- http://www.fbi.gov/n...e-and-terrorism
April 12, 2011 - "... The Booming Business of Botnets: ... The botnets run by criminals could be used by cyber terrorists or nation states to steal sensitive data, raise funds, limit attribution of cyber attacks, or disrupt access to critical national infrastructure. Today’s botnets are often modular and can add or change functionality using internal update mechanisms... Some criminals rent or sell their botnets or operate them as a specialized portion of an ad hoc criminal organization. At least one botnet kit author implemented a copy protection scheme, similar to major commercial software releases, which attempts to limit unauthorized use of the botnet kit. Botnets that specialize in data exfiltration are able to capture the contents of encrypted webpages and modify them in real time. When properly configured, criminals can ask additional questions at login or modify the data displayed on the screen to conceal ongoing criminal activity. Criminals purchase the base kits for a few thousand dollars and can pay for additional features to better target specific webservices..."

Edited by AplusWebMaster, 01 July 2011 - 11:39 AM.