37 replies to this topic

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/34jw2j
March 16, 2008 (USAtoday) - "...The botnet problem shows no sign of easing. Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January -- an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91 percent of all e-mails in early March, up from 64% last June, says e-mail management firm Cloudmark... smaller, multipurpose botnets spring from widely available tool kits that make it easy for anyone to infect computers, assemble a basic botnet and embark on a criminal career. Dozens of crime rings, for instance, have cropped up to run phishing Relevant Products/Services scams that lure victims into clicking on fake Web pages where they get tricked into divulging passwords and other sensitive data.
Botnets distribute phishing spam, host phishing Web pages and store phished data. Since 2005, phishers have used botnets to take aim at more than 1,750 companies and government agencies, mainly financial institutions, including 106 fresh targets in the fourth quarter of 2007, according to a survey by security data firm Cyveillance. Phishing expeditions are just one of many uses of botnets.
Some botnets crawl the Internet looking for Web pages that can be corrupted with pop-up ads selling fake anti-spyware; some implant programs on popular Web pages to harvest any sensitive personal data typed there by visitors; some repeatedly click on online advertisements to earn fraudulent "click through" revenue... Numerous indicators portend botnets are destined to increasingly corrupt consumer online transactions and range deeper into corporate and government networks..."

Botnet activity from around the world over a 7 day period
- http://damballa.com/...ctive_bots.html
(Flash video)

[AplusWebMaster]

FYI...

Russians offer cash for zombies on the Web
- http://www.brisbanet...5602625560.html
March 21, 2008 - "Hackers are paying top dollar on international blackmarkets for computers from Australia that have been unknowingly hijacked and infected with spyware. A Russian malware distribution site offers $US100 for a haul of 1000 spyware-infected Australian machines, double the price offered for US machines and 30 times more than those from Asia... The Russian site, InstallsCash, offers to pay unscrupulous website operators for every 1000 machines they infect with spyware. All the website operator has to do is insert a line of code into their web page, and anyone visiting that site is infected with spyware. For instance, someone could load the code on to their website and if the site is viewed by 100,000 Australians in a day, the site operator could earn up to $10,000 in one hit, assuming all viewers are infected. Infected machines are then added to a "botnet" controlled by InstallsCash, and the party responsible for the infection is paid accordingly..."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/338nxq
March 27, 2008 (TrendLabs blog) - "...Interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month. Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico. However, instead of using DNS poisoning method as the past attacks did, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider. Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting e-card that a user receives via email. This e-card contains a link, which when clicked downloads the malicious file Gusanito.exe... Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer... As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting e-cards at this very moment... The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this, as well."

[AplusWebMaster]

FYI...

- http://asert.arborne...s-and-insights/
March 27, 2008 - "...I don’t get to spend much time digging into big, widespread attacks or specialized exploits. However, here’s a few links from my reading this morning that help keep me informed since I can’t spend all of my time digging too deeply into every event.
- ...botconomics... basically how the botnet world has been fueling a large-scale underground economy. Have a look:
http://www.vnunet.co...s-offer-dollars ...
"...Code is typically first added to a web page which may be a phishing site, a hacked site, a site hosted on a web server or even a botnet-hosted web page. Instructions are then issued to the offending botnet computers to visit the page, then download and execute the code. Once the spyware is installed, it registers with the 'seller' and the 'affiliate' is then paid. MessageLabs explained that a simple line of code can be added to an HTML page that will in turn cause a drive-by install of spyware to the computers of any visitors to that site..."

[AplusWebMaster]

Botnets 2008 - new - "Kraken"

Kraken technical details
- http://isc.sans.org/...ml?storyid=4256
Last Updated: 2008-04-07 20:22:36 UTC - "...<Begin Commentary> If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware. </End Commentary>..."
(More detail at the ISC URL above.)

- http://www.theregist..._botnet_menace/
7 April 2008 - "... It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network. Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware..."

[AplusWebMaster]

Update:

- http://isc.sans.org/...ml?storyid=4256
Last Updated: 2008-04-07 - "... The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971. I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file")."

[AplusWebMaster]

Update #2

- http://isc.sans.org/...ml?storyid=4256
UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here*. There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now..."
* http://doc.emergingt...ew/Main/OdeRoor

(More links to detailed analysis available at the ISC URL above - bottom of page there.)

[AplusWebMaster]

More on "Kraken":

- http://preview.tinyurl.com/6ff7lx
April 8, 2008 (Brian Krebs) - "...In the early days of bot infections, botmasters would have all of their infected PCs report to a particular Internet server to receive updates and instructions on what to spam or whom to attack. But those stationary control servers represent a single point of failure for botmasters: If security professionals can get them taken offline, the botmaster can lose control over his herd of infected machines, as the individual bots no longer know where to go to receive instructions and become stranded indefinitely, sort of like sheep without a shepherd. As a result, many botmasters have switched to using dynamic DNS because these services eliminate this single point of failure. Using dynamic DNS, the botmaster simply tells his bots to report to a particular domain name he controls, such as example.com, and the dynamic DNS provider takes care of making sure all infected machines know how to find the control server... Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code... the advice is the same: Use anti-virus, but don't depend on it to save you from risky behaviors online. Use a firewall, keep your computer and third-party software up-to-date with the latest security patches. Don't click on links sent to you unexpectedly in e-mail or instant message... configure your computer so that you run it under a limited user account for everyday use..."

[AplusWebMaster]

More "Kraken"...

- http://asert.arborne...msft-bulletins/
April 8, 2008 - " Kraken, the spam botnet on everyone’s minds, has soaked up a good bit of out Monday evening and today. We’re going with the popular name and dubbing it Trojan.Kraken. In short, what we know and what we don’t know:
* It’s unclear if this is a variant of Bobax or Srizbi, or something new.
* A lot of the C&Cs are dead
* We analyzed samples going back through last year
* It’s a spam botnet, doesn’t appear to harm the host otherwise
* We don’t know how big it is
We’ve spent a lot of time in ASERT in the past day dissecting samples, gathering data from the community, and looking at our own analysis. Here’s some brief notes:
* It drops a file in %SYSTEM32% with a random name (lowercase characters, 2-20 characters). It sets the following registry keys to ensure it runs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"" =C:\WINDOWS\system32\[%random_name%].exe
"" =C:\WINDOWS\system32\[%random_name%].exe

Where the random name is between 2 and 20 characters long.
* It picks a random string of lowercase characters for a service title
* It communicates with over 150 command nodes (if they all were to resolve) for instructions and templates using UDP port 447; we’re not sure if the replies are source-spoofed or not...

AV detection for the samples varies, but the naming isn’t consistent. This doesn’t appear to be the bot that ate the Internet, however, but it does go to show you that spambots are becoming a serious problem..."

[AplusWebMaster]

FYI...

- http://www.staysafeo...elease0408.html
April 9, 2008 - "...The National Cyber Security Alliance (NCSA) announced study findings that 71 percent of consumers lack the knowledge on cyber criminals’ weapon of choice and the Internet’s fastest growing threat – botnets... Compelling findings from the study* include:
* 71 percent have never heard the phrase “botnet” – the weapon of choice for cyber criminals
* 59 percent think it is not likely their computer could affect homeland security
* 47 percent believe it is -not- possible for a hacker to use your computer to launch cyber attacks or crimes against other people, businesses and our nation
* 51 percent have not changed their password in the past year
* 48 percent do not know how to protect themselves from cyber criminals
* 46 percent of consumers are not sure of what to do if they became a victim of a cyber crime...
2,249 online consumers between the ages of 18 and 65 were surveyed using the online panel managed by Harris Interactive..."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/5qk4lk
April 9, 2008 SANS-NewsBites - "Research presented at the RSA conference estimates that the largest eleven botnets cumulatively control more than one million machines and are capable of sending out 100 billion spam emails each day. The largest botnet is believed to be one known as Srizbi, controlling an estimated 315,000 machines; Bobax claims an estimated 185,000 machines, and Storm comprises about 85,000 compromised machines. The research also aims to clarify which botnets are which, as some recent reports have said that Kraken is the largest botnet, comprising more than 400,000 machines, but Kraken is believed to be another name for Bobax."

[AplusWebMaster]

FYI...

Loads.CC Bot still live...
- http://asert.arborne...still-targeted/
April 17, 2008 - "Enough has been written about the Loads.CC team to probably give you enough of a picture that you need to know. Some reports suggested they went away, but they didn’t. They’re still active. See these reports by RBN exploit*, CIO magazine**, 2-viruses.com***, this PC Week article**** by Scott B, and Adam T for a good background. The team is still quite active. They came up in some analysis earlier this week when we looked at an infection chain. I started digging and found that they’re still churning out new malware install sites with great regularity..."

* http://rbnexploit.bl...-and-their.html

** http://www.cio.com/a...Second_Unfolds_

*** http://www.2-viruses...ers-for-hackers

**** http://www.pcworld.c...rs/article.html

(Activity charts - see the ArborNetworks URL above.)

[AplusWebMaster]

FYI...

Bot counts
- http://www.shadowser...Stats.BotCounts
20 April 2008 - "... Because there is not any consensus on what that lifespan might be, we have created an entropy value for all of our counts. We actually implemented it in the middle of 2007 to deal with the rampant increase of our bot/infected system counts. We realized that we may have artificially inflated the numbers that we were presenting. We suspect a lot of the values that are seen in the press or the many security reports are inflated for the same reasons.

We have three entropy values that we present for each of our graphs. The first is the one that we have been using since we started aging the data, which is a 30-day entropy. This assumes that if no activity on a specific IP was seen within 30-days, that IP should be considered dead for the purposes of counting infected systems. To further this analysis, we have also added in a 10-day and 5-day entropy charts to reflect even smaller expected lifespans of an infected system. We do not know what the correct value may be, but we suspect it is somewhere between the 10-day and 30-day charts."

(Charts available at the URL above.)

[AplusWebMaster]

FYI...

China's botnet problems grows
- http://www.securityfocus.com/brief/726
2008-04-21 - "Computers infected by Trojan horse programs and bot software are the greatest threat to China's portion of the Internet, with compromises growing more than 20-fold in the past year, the nation's Computer Emergency Response Team (CN-CERT) stated in its 2007 annual report released last week. The response organization found that the number of Chinese Internet addresses with one or more infected systems increased by a factor of 22 in 2007. The report... estimates that, of 6.23 million bot-infected computers on the Internet, about 3.62 million are in China's address space. Trojan horse programs are responsible for a range of issues, from privacy breaches to economic losses, CN-CERT said in the report... A nod to Dancho Danchev's blog*, which first noted the release of the report..."
* http://ddanchev.blog...eport-2007.html

[AplusWebMaster]

FYI...

- http://www.techworld...amp;pagtype=all
09 May 2008 - "...Having compromised 300,000 PCs around the world, it was now sending out an estimated 60 billion spam emails per day on “watches, pens, male enlargement pills”, a torrent that consumed huge amounts of processing power to keep in check. “Srizbi now produces more spam than all the other botnets combined.” said Marshal’s Bradley Anstis... “Microsoft recently announced its success combating the Storm botnet with their Malicious Software Removal Tool (MSRT). The challenge now is for the security industry to collectively turn its sights on Srizbi and the other major botnets. We look forward to seeing Microsoft target Srizbi with MSRT in the near future,” said Marshal's Anstis."
* http://www.marshal.c...asp?article=646