55 replies to this topic

[AplusWebMaster]

FYI... Please do NOT visit the sites mentioned in the article!

Russia: Opposition Websites and DDoS
- http://asert.arborne...sites-and-ddos/
January 6, 2009 - "We’re again seeing reports about political DDoS targets within Russia. This time we saw it mentioned in the blog post Russian Opposition Websites Shut Down By Attacks* from the blog The Other Russia. And again we have data to support the claims. The site www .grani .ru has come under attack from two Black Energy botnets. One of them is well known to many of us, “candy-country .com”, and the other is relatively new on the scene, 22×2x2×22 .com. Both are hard at work with HTTP floods against the site.
Kasparov .ru is back in the news and again being targeted by Black Enegy botnets. 22×2x2×22 .com is striking the site, as well as the well known BE botnet ad .yandexshit .com.... the website of MSK radio, echo .msk .ru, is also under attack by these two botnets. Voices of dissent again being quieted by force.
At least some of these bots participated in the recent DDoS attacks between Russia and Georgia, but they’ve also struck non-political targets quite a bit in the past year or so. Escort sites, gambling sites, etc. Politics is a rough sport in Russia, and the use of DDoS to silence the opposition’s website shows the power of the web in getting a voice out, its value in being silenced, and possibly what’s to come in the future."
* http://preview.tinyurl.com/8nff8b

[AplusWebMaster]

FYI...

2008 H2 Fast Flux Data Analysis
- http://asert.arborne...-data-analysis/
January 8, 2009 - "... Comparison and Trends
We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. This could be due to them being negligent or completely subverted, but either way we’re not surprised to see a BizCN registration of a fluxy .CN domain name. We also think that this rapid growth in .CN as a fluxing TLD may be due to a fire sale of .CN domain registrations that occurred late in 2008.
The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs. As we noted in our paper earlier this year, by the middle of 2008 more TLDs were being used that had been seen in Thorsten’s previous paper. By the end of 2008 even more TLDs were in use. The long tail is getting longer, meaning more registrars have to be educated and empowered to response to abuse notices with takedowns.
2008 was a very big year for fast flux service hosting, and we’ll continue to see it in 2009. We’re working with more people to analyze such botnets and track their activities, and we’ll be reporting it here."
(Info charts available at the URL above.)

[AplusWebMaster]

FYI...

SPAM bots - 2009...
- http://voices.washin...ill_we_get.html
January 13, 2009 - "The close of 2008 sounded the death knell for some of the most notorious spam networks on the planet. But already several new breeds of spam botnets - massive groups of hacked PCs used for spamming - have risen from the ashes, employing a mix of old and new tricks to all but ensure a steady flow of spam into e-mail boxes everywhere for many months to come... In its January Spam Report* (PDF), McAfee reports that while current spam levels have shown a significant increase in the last few weeks, they are still 40 percent lower than levels prior to the demise of McColo. Symantec, in its State of Spam report** (PDF) for January, says spam levels are now at 80 percent of their pre-McColo-shutdown levels."

* http://www.mcafee.co...eport_jan09.pdf

** http://eval.symantec...-2009.en-us.pdf

- http://www.theregist...otnets_of_2009/
14 January 2009

Spam Botnets to watch in 2009
- http://www.securewor...eat=botnets2009
January 13, 2009

- http://www.marshal.c...asp?article=843
January 12, 2009

Edited by AplusWebMaster, 17 January 2009 - 07:37 AM.

[AplusWebMaster]

FYI...

Inauguration Themed Waledac - New Tactics & New Domains
- http://www.shadowser...lendar.20090119
January 19, 2009 - "...the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry... As always do NOT visit these domains as they are malicious and hosting exploit code... Click here* for a full listing of Waledac domains that we are aware of - this link will be updated as we get them. Your best bet is to block these domains or otherwise avoid them..."
* http://www.shadowser...dac_domains.txt
Updated 01-21-2009

[AplusWebMaster]

FYI...

Full Waledac Domain Listing
- http://www.securityzone.org/?p=61
January 24, 2009 - "'Got the full list also being updated and posted on the Shadowserver website at the following URL:
http://www.shadowser...dac_domains.txt
Updated 01-25-2009 - 19:10 UTC

...Also, if you are interested in all things Waledac...
http://sudosecure.net/waledac/ "
Waledac Tracker Summary Data

- http://www.shadowser...lendar.20090124
January 24, 2009 - "...Add those to your block lists and do NOT visit them."

Edited by AplusWebMaster, 26 January 2009 - 04:58 AM.

[AplusWebMaster]

FYI...

Kyrgyzstan Under DDoS Attack From Russia
- http://preview.tinyurl.com/dfdf84
January 28, 2009 Secureworks blog - "Since January 18, 2009, the two primary Kyrgyzstan ISPs (www.domain.kg, www.ns.kg) have been under a massive, sustained DDoS attack almost identical in some respects to those that targeted Georgia in August 2008. Few alternatives for Internet access exist in Kyrgyzstan. With just two smaller IPSs left to handle the load, these attacks from Russian IP address space have essentially knocked most of the small, Central Asian republic offline. Some believe that this is a way to silence rhetoric from a new and relative powerful opposition coalition whose primary aim is the removal of current government officials, especially Kyrgyz President Kurmanbek Bakiyev, and a break from the administrations policies. On the other hand, others think these attacks are part of a Russian campaign to pressure Kyrgyz President Kurmanbek Bakiyev to close US access to a key airbase, which intensified on the same day as the DDoS attacks. That airbase is a key resource in the war against Islamist militants in Afghanistan... The use of cyber militias puts distance between the Russian government and shelters the it from culpability for the peacetime use of information warfare tactics. There is often a combination of motives... With modern worms capable of quickly building 1+ million strong botnet armies, will we have countermeasures and contingency plans in place when the cross hairs lock-on to our own infrastructure?"

Russian 'cybermilitia' knocks Kyrgyzstan offline
- http://preview.tinyurl.com/akct9k
January 28, 2009 (Computerworld)

- http://atlas.arbor.net/
"...We are investigating ongoing DDoS issues in Kyrgyzstan..."
- http://atlas.arbor.net/summary/dos

[AplusWebMaster]

FYI...

Asprox goes phishing again
- http://www.shadowser...lendar.20090129
29 January 2009 - "The first time around with Asprox, we saw a little bit of phishing. The question with any botnet is "how do they make money off of this?" Phishing is certainly one way. Renting your botnet out to a phishing organization is probably an even better way. Must less risk for you, Mr. Botnet Herder. Today we saw a template update to the drones... Once you fill in some details, your form is submitted to <asprox node>... then your browser is redirected to the homepage of the real bank site. With Asprox's template capabilities, I imagine we'll see more of this."

(Screenshot and more detail available at the URL above.)

[AplusWebMaster]

FYI...

Trojan: W32/Waledac
- http://atlas.arbor.n...index#-47237018
Severity: High Severity
Published: Friday, January 30, 2009 14:30
We have been tracking a new variant of the storm worm for the past month, approximately. This new version, dubbed Waledac, is a new rewrite of the Storm worm's engine but uses the same back end. Nodes are infected through malicious websites and join a P2P managed botnet using HTTP. Once infected, nodes send spam messages related to new infection lures and to pharmacy spam. The botnet also creates a fast flux service network.
Analysis: This is a high severity threat and we have been working with various teams to help dissect the botnet. We do not anticipate that it will be resolved soon.
Source: Trojan:W32/Waledac.gen - http://www.f-secure....ledac_gen.shtml
Source: Trojan:W32/Waledac.A - http://www.f-secure....waledac_a.shtml "

[AplusWebMaster]

FYI...

UkrTeleGroup shutdown...
- http://news.softpedi...wn-103400.shtml
31 January 2009 - "UkrTeleGroup, a notorious ISP based in Ukraine, has been depeered by its uplink provider. In addition to the vast malicious activity originating from its address space, the ISP was also hosting the rogue DNS servers used by the Zlob (DNSChanger) family of trojans. Brian Krebs, journalist at The Washington Post, who also maintains the Security Fix blog, reports* that UkrTeleGroup Ltd. has been known to be involved in online criminal activity since as far back as 2005. As a result, security experts, from the likes of McAfee or the Internet Storm Center**, have recommended blocking all traffic from the IP block owned by the Ukrainian company. The Miami-based FPL FiberNet, which is part of the FPL Group, took the decision to terminate the contract with one of its customers, who was providing uplink to UkrTeleGroup, after receiving a complaint from its own service provider, including an inquiry from Mr. Krebs... The DNSChanger computer trojan comes in many variants, but all of them exhibit the same core concept of forcing the infected computers to use rogue DNS servers. These type of servers are used by computers to resolve domain names to IPs and the gang behind the trojan has proved particularly innovative in finding new ways to hijack them. While the original DNSChanger version was doing nothing more than modifying the Windows HOSTS file in order to override legit DNS responses, its latest mutations are capable of breaking into LAN routers and modifying their settings or hijacking DNS requests from wireless clients and poisoning the replies... Some researchers are pointing that the DNSChanger gang started migrating its servers away from the UkrTeleGroup to other more difficult to reach ISPs in Eastern European countries, such as Latvia, a month ago. But even so, the take down of UkrTeleGroup is bound to hinder the operations of other cyber criminal groups, who used its services to host phishing websites or malware distribution servers.
This latest win for the security community comes after other similar efforts led to the shut down, in 2008, of Atrivo/Intercage, a hosting provider affiliated with the notorious Russian Business Network, or the depeering of the infamous McColo ISP, which served as home for the command and control servers of many of the world's largest spam-sending botnets. ICANN terminating the accreditation of the EstDomains, the favorite domain registrant of cyber criminals, represented an important victory as well."

* http://voices.washin...ost_sideli.html

** http://isc.sans.org/...ml?storyid=5434

[AplusWebMaster]

FYI...

Botnet controllers for sale
- http://sunbeltblog.b...s-for-sale.html
February 09, 2009 - "... Now, we see a development shop boasting about its work on malware. Sniffing around an iframedollars trojan, we saw a GET request to promake.me. This resulted in an additional trojan being downloaded..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Multiple botnets spread Valentine's Day SPAM/malware
- http://preview.tinyurl.com/azlcnw
2009-02-11 - E-week.com "...Researchers at Marshal8e6* have seen three distinct campaigns from three different botnets, as well as spam attacks from botnets they have not yet identified. Most of the Valentine's Day-related spam is coming from Waledac, which appeared on the scene late in 2008. Security pros now believe the botnet is the work of the minds behind the infamous Storm botnet that made headlines in 2007. After being targeted by Microsoft's Malicious Software Removal Tool, Storm limped through most of 2008 before disappearing completely in September... In its place came Waledac, which emerged in December with a blended threat Christmas e-card campaign. Like Storm, Waledac uses a peer-to-peer connection model with fast-flux DNS (Domain Name System) hosting and encrypted communications. Today, researchers speculate that Waledac may comprise as many as 20,000 bots... In addition to Waledac, the Pushdo botnet and others have joined in with their own Valentine's Day campaigns..."
* http://marshal.com/t...asp?article=870
Last Reviewed: February 11, 2009 - "...Please be wary this Valentine’s day and err on the side of caution. Avoid opening Valentine’s day e-card messages unless you can clearly identify and trust the sender."

[AplusWebMaster]

FYI...

Joint Effort at Conficker Disruption
- http://www.shadowser...lendar.20090212
12 February 2009 - "Today Microsoft announced a cooperative effort that has been underway to actively disrupt and contain the Conficker worm outbreak. The Shadowserver Foundation is honored and pleased to be part of this effort which is truly the first of its type. This project brings together those organizations that can effect change at the domain level where the botnet traditionally anchors itself... If these domains can be identified, and have their DNS pointed to a friendly server instead of the C&C, you accomplish several good things. First, you've essentially crippled the botnet, and second you're now able to identify all the infected drones trying to connect to the C&C since they are now attempting connections to that friendly server. Shadowserver has employed various processes to identify the domain names, act as that friendly server, and enumerate the orphaned drones. We add this data to our freely distributed report process which notifies the appropriate network operators that there are infected machines on their network. In the case of Conficker/Downadup, we've actually been watching this for some time, and playing the role of a 'friendly' server for over a month... We at Shadowserver are very hopeful that this effort is foundational, one that will gain traction and attention from those organizations that can make a difference. The issue now is truly global. The botnet scourge is monumental. It requires worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to this effort and in working with other groups dedicated to improving the safety of the Internet..."

- http://www.microsoft...onfickerPR.mspx
Feb. 12, 2009

- http://preview.tinyurl.com/aaoefb
02-12-2009 Symantec Security Intel Analysis Team

- http://preview.tinyurl.com/ah9neb
February 12, 2009 (Computerworld)

Third party information on conficker
- http://isc.sans.org/...ml?storyid=5860
Last Updated: 2009-02-13 06:45:53 UTC - "(This will be updated as more information becomes public)... Removal Instructions, Removal Tools..." etc.

- http://atlas.arbor.n...index#847040090
February 13, 2009 - "Microsoft has announced that it has been working with various industry partners, Arbor Networks included, to thwart the use of the domain names generated by the Conficker worm to block the attacker from making updates to the worm. Sinkholes are being coordinated to identify infected hosts and to share the data with the necessary parties, as well.
Analysis: This is an unprecedented move and should help keep the worm from growing into a larger problem. The worm continues to spread and the population has grown to as many as 12 million or more..."

Edited by AplusWebMaster, 15 February 2009 - 07:33 PM.

[AplusWebMaster]

FYI...

Waledac coupon campaign & updated Domain List
- http://www.shadowser...lendar.20090302
March 02, 2009 - ".... The domains are kept updated at the following URL:
• http://www.shadowser...dac_domains.txt
Waledac Domain List - Updated 03-01-2009...
We have also introduced a new URL which is all of the Waledac domains in alphabetical order with no comments or anything else. It currently has 143 domains on it and can be reached via the following URL:
• http://www.shadowser...aledac_list.txt
These should both be updated at the same time from now on as we add new ones to the list. Please use the domains as you see fit for detecting malicious activity and proactive blocking...
New Theme & Exploits
In the last week or so too, you may have noticed that Waledac recently moved to a new theme about the Economic Crisis and having downloadable coupons. This is just the latest social engineering lure to attempt to get users to install the trojan on their system. Additionally, for some time now, Waledac has been linking to exploit code that it hosts itself. Lately the domain involved seems to frequently be "chatloveonline .com" with an iframe pointing to it and the URL "/tds/Sah7". So be on the lookout and don't visit Waledac domains to avoid the exploits."

Edited by AplusWebMaster, 03 March 2009 - 01:24 PM.

[AplusWebMaster]

FYI...

Conficker variant - new domain algorithm generates 50,000-a-day...
- http://preview.tinyurl.com/aegncn
03-06-2009 (Symantec Security Response Blog) - "Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has today resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants* of Downadup, Symantec is calling this new variant W32.Downadup.C. Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines. It is targeting antivirus software and security analysis tools with the aim of disabling them... Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes... The most effective step that organizations and end users can take is to ensure that their computers have up-to-date antivirus software and patches."

* https://forums2.syma...ant/ba-p/391186
02-23-2009 - "... new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C... one could categorize Downadup into three variants..."

W32.Downadup.C
- http://www.symantec...._...-99&tabid=2
Updated: March 6, 2009 10:38:28 PM
Updated: March 7, 2009 5:30:25 PM
Updated: March 8, 2009 9:23:42 AM
Updated: March 11, 2009 4:12:59 PM
Type: Trojan, Worm
Infection Length: 88,576 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Edited by AplusWebMaster, 11 March 2009 - 02:53 PM.

[AplusWebMaster]

FYI...

- http://blog.trendmic...ates-more-urls/
Mar. 11, 2009 - "... yet another variant of the infamous DOWNAD family... DOWNAD (also known as Conficker) is one of the more destructive outbreak worms in the Web threat era, with numbers matching that of giant botnets Storm and Kraken... The two earlier DOWNAD worms, as of this month, has already infected a million PCs based on Trend Micro’s World Virus Tracking Center... Security researchers estimate the global infection at around nine million PCs... added features include the increased number of generated domains, from the earlier the 250 generated by the earlier variants to 50,000. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet... blocking these domains is almost impossible not only because of the daily volume, but also because there is a high possibility legitimate domain collisions where DOWNAD generates domains already in use by legitimate entities. Like the other DOWNAD worms, this new variant also blocks access to antivirus-related sites, as well as terminates security tools..."

W32.Downadup.C
- http://www.symantec...._...-99&tabid=2
Updated: March 11, 2009 - "... If the date and time is on or after 1st April 2009, it uses the date information to generate a list of domain names..."