Tag Archives: botnet

Microsoft takes down 277 Waledac infected websites

0
Posted by Tech Paranoia on February 26, 2010 – 10:35 am
Filed under Security
Tagged as , ,

Microsoft has taken down 277 internet domains that it believed was being used to run the Waledac botnet.

In what it called ‘Operation b49′ that was the ‘result of months of investigation and the innovative application of a tried and true legal strategy’, according to Microsoft’s associate general counsel Tim Cranton, a federal judge granted a temporary restraining order that quickly and effectively cut off traffic to Waledac at the ‘.com’ or domain registry level.

Cranton said: “Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

“Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware.”

Source: SC Magazine UK

Researchers Infiltrate Storm Botnet Successor

0
Posted by Tech Paranoia on January 7, 2010 – 12:30 pm
Filed under Malware, Viruses
Tagged as

In an undercover mission to learn more about the size and scope of the son of the infamous Storm botnet, Waledac, German researchers have discovered the spamming botnet is much bigger and more efficient than previously thought.

The University of Mannheim and University of Vienna team boldly infiltrated the Waledac botnet from Aug. 6 through Sept. 1 of last year using a cloned Waledac bot they built and code-named “Walowdac.” The phony bot injected the IP addresses of the researchers’ analysis systems into the botnet, and the researchers were able to collect detailed data on the botnet and its inner workings. They found Waledac runs a minimum of 55,000 bots a day, with a total of 390,000 bots — much larger than previous estimates of 20,000 or so bots.

The researchers also were able to measure success rates of various spam campaigns launched by Waledac, and were able to observe up close Waledac’s newer features, such as the ability to steal credentials from bot-infected machines. Their clone did not do any spamming, however. “We used an implementation of the bot that speaks all of the protocols and communicates like a bot would do. We had full control over it, and it didn’t send any spam…it just participated in the communications,” says Thorsten Holz, one of the researchers.

Read the full article at: DarkReading

Adobe Reader vuln hit with unusually advanced attack

0
Posted by Tech Paranoia on January 5, 2010 – 12:00 pm
Filed under exploit
Tagged as , ,

With more than a week until Adobe is scheduled to patch a critical vulnerability in its Reader and Acrobat applications, online thugs are targeting it with an unusually sophisticated attack.

The PDF file uses what’s known as egg-hunting shellcode to compress the first phase of the malicious payload into 38 bytes, a tiny size that’s designed to thwart anti-virus detection. As a result, just four of the 41 major AV programs detect the attack more than six days after the exploit surfaced, according to this analysis from Virus Total.

The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected PCs.

“Not only was this a very interesting example of a malicious PDF document carrying a sophisticated ‘war head,’ but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims,” wrote Bojan Zdrnja, a Sans handler who analyzed the exploit.

The PDF was distributed through email that was specifically targeted at an unnamed organization, Zdrnja, who is a senior information security consultant with Infigo, said in an interview with The Register. Based on the metadata found in the PDF, it originated in China and was produced on December 29.

Just to make the attack even harder for end users to detect, the obfuscated binary runs a third executable program that does nothing more than open a benign file called baby.pdf on the infected machine. Zdrnja believes this is done to deflect attention and prevent users from figuring out their PC has just been compromised.

Source: The Register

Conficker infections drop overnight

0
Posted by Tech Paranoia on January 5, 2010 – 11:00 am
Filed under Malware
Tagged as ,

People have one more reason to celebrate the new year, according to the Shadowserver Foundation: Nearly a million Conficker-infected computers have oddly disappeared overnight.

On Jan. 1, the number of IP addresses showing signs of infection dropped by about 820,000, to 5.3 million, according to data from the Shadowserver Foundation and the Conficker Working Group. The drop continued the botnet’s waning during the latter days of December: On December 29, IP addresses showing signs of Conficker infections peaked at 6.5 million before dropping to 5.3 million at the start of the new year.

Andre’ DiMino, director and founder of the Shadowserver Foundation, said the group did not have enough data yet to determine the cause of the drop.

“Is it because of the holidays, because a large number of work PCs were turned off? Or did companies take the time to clean up the problem? We really don’t have any conclusions yet,” he said.

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm initially spread using a vulnerability in Microsoft Windows and contacted 250 random domains to check for updates. By April, Conficker had morphed into a botnet that maintained peer-to-peer connections, but no longer spread automatically. Where the first versions of the program contacted 250 random domains, the latest version generates 50,000 random domains every day and contacts 500 of them for updates. The Conficker Working Group has blocked the software from updating itself by pre-registering domains and provides resources to companies to help detect and remove infections.

Last month, the Shadowserver Foundation started publishing the names of the network owners who continued to have a large number of infected computers. Those numbers stayed fairly consistent during the month, between 6.0 million and 6.7 million IP addresses, until it started dropping on the 29th.

The drop may not be long lived, however. By Saturday, the signs of infection had already rebounded to 5.6 million.

“It’s starting to creep back up, but we are still a million off from where we were,” DiMino said. “It will really be interesting come Monday and Tuesday, when machines start coming back on. That will really tell us whether this was remediation or just a blip.”

Source: Security Focus

Cybercriminals Bypassing Two-Factor Authentication

0
Posted by Tech Paranoia on December 17, 2009 – 1:00 pm
Filed under Malware
Tagged as , ,

Two-factor authentication — used to protect online bank accounts with both a password and a computer-generated one-time passcode — is supposed to be more secure than relying on a single password.

But Gartner Research VP Avivah Litan warns that cyber criminals have had success defeating two-factor authentication systems in Web browsing sessions using Trojan-based man-in-the-middle attacks.

Confidential information is everywhere, so it must be protected Typo Squatting and Cross Site Scripting are just a couple of the recent threats facing the presidential candidate web sites, according to researcher Oliver Friedrichs. Confidential information is everywhere, so it must be protected A Gartner Research note written by Litan explains that in the past few months, Gartner has heard from many banks around the world that rely on one-time-password authentication systems. Accounts at these banks have been compromised by man-in-the-middle attacks — the report uses the term “man-in-the-browser” — despite the use of two-factor security.

One technique that the fraudsters have been using to bypass security controls is call forwarding.

“[B]anks that rely on voice telephony for user transaction verification have seen those systems and processes compromised by thieves who persuade telecom carriers to forward legitimate user phone calls to the thief’s cell phone,” the report says. “These targeted attacks have resulted in theft of money and/or information, if the bank has no other defenses sufficient to prevent unauthorized access to their applications and customer accounts.”

A man-in-the-middle attack involves using software or hardware to intercept network traffic then send it to its destination so that the information can be used without the knowledge of the sender or the intended recipient.

In an e-mail, Litan said that the attacks have involved the Zeus Trojan and other customized malware.

Source: DarkReading

Botnet Operators Infecting Servers, Not Just PCs

0
Posted by Tech Paranoia on December 17, 2009 – 12:00 pm
Filed under Malware
Tagged as ,

Botnet operators have always been able to easily infect and convert PCs into bots, but they also are increasingly going after servers — even building networks of compromised servers.

Web servers, FTP servers, and even SSL servers are becoming prime targets for botnet operators, not as command and control servers or as pure zombies, but more as a place to host their malicious code and files, or in some cases to execute high-powered spam runs.

“FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Mikko Hypponen, chief research officer at F-Secure. “Another thing we’ve noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads.”

Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.

Shadowserver, a nonprofit that tracks botnet activity, has seen botnets building their own networks of compromised servers as sort of sub-botnets for the botnet’s use. “Now we’re starting to see a botnet of servers … What’s interesting is we’re finding these networks of connected servers are under a certain person’s control,” says Andre DiMino, director of Shadowserver.

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, experts say.

For some time the bad guys have been hijacking FTP servers and using SQL injection to compromise legitimate Websites, which they in turn use to recruit more bots or to steal valuable credentials, data, or credit-card numbers. And some botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth. Joe Stewart, director of malware research for SecureWorks, says he sees bot code written in PHP and Perl that’s designed for server-based bots. These bots are typically used as spamming engines: “The general purpose of these attacks is to send spam, either email spam or blog spamming,” he says. “The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out.”

Source: DarkReading

Zeus botnet using Amazon’s EC2 as command and control server

0
Posted by Tech Paranoia on December 10, 2009 – 9:00 am
Filed under Malware
Tagged as , ,

Security researchers have intercepted a new variant of the Zeus crimeware, which is using Amazon’s EC2 services for command and control purposes of the botnet. The cybercriminals appear to be using Amazon’s RDS managed database hosting service as a backend alternative in case they loose access to the original domain, which would result in the complete loss of access to the compromised financial data obtained from the infected hosts.

Full article at: ZDNet

Botnets pushing out even more spam

0
Posted by Tech Paranoia on December 8, 2009 – 2:00 pm
Filed under Spam
Tagged as ,

Cybercrooks have adapted to the takedown of rogue ISPs by building more resilient botnets.

An annual security survey by MessageLabs found that the already high level of spam reached 87.7 per cent of email traffic during 2009, with highs and lows of 90.4 percent in May and 73.3 percent in February respectively. Junk volumes increased still further compared to the 81.2 per cent spam rate recorded by MessageLabs in 2008.

Compromised (zombie) machines accounted for more than four in five (83.4 per cent) of an estimated global volume of 107 billion junk mail messages sent out every day during 2009.

The shutdown of botnet-hosting ISPs – such as McColo in late 2008 and Real Host in August 2009 – has forced hackers to re-engineer botnets so that the reins of command and control system can be picked up within hours, instead of the weeks of confusion that followed the McColo shutdown.

The Register

Report claims that 2009 was a year of stronger botnets and increased spam

0
Posted by Tech Paranoia on December 8, 2009 – 10:00 am
Filed under Security
Tagged as ,

There has been an average rate of 87.7 per cent in detected spam in 2009, as a small number of botnets have become stronger.

According to the MessageLabs intelligence annual security report for 2009 from Symantec, cybercriminals have sharpened their survival skills and operated a volume and variety approach over the past 12 months.

It showed that there was a high of 90.4 per cent of detected spam in May, and a low 73.3 per cent in February. Paul Wood, MessageLabs intelligence senior analyst at Symantec, claimed that following the shutdown of McColo just over a year ago levels did drop but soon picked up again.

Source: SC Magazine UK

The Root of the Botnet Epidemic

0
Posted by Tech Paranoia on November 30, 2009 – 8:56 am
Filed under Security
Tagged as

Over the course of a few days in February 2000, a lone hacker was able to bring some of the Web’s larger sites to their knees, using just a few dozen machines and some relatively primitive software to cripple Yahoo, eBay, E*trade, Amazon, ZDnet and others for hours at a time. No one knew it at the time, but these attacks would come to be seen in later years as some of the earlier outbreaks of what has become a massive online pandemic.

The attacks themselves were nothing fancy. The hacker, who would later be identified as a 15-year-old boy from Montreal named Michael Calce, used a DDoS tool called Mstream to instruct a small army of machines he had previously compromised to send huge amounts of junk data at the remote Web servers he was targeting. But the technique was brutally effective: Yahoo, then the dominant search provider and portal site, was knocked offline for about two hours after receiving more than a gigabit of data per second from Calce’s bots.

CNN, ZDnet, Dell.com, eBay and other sites experienced similar floods, each with a varying degree of success. Initial speculation in the security and law enforcement community centered on sophisticated hackers, maybe a foreign group trying to prove a point about American capitalism, or a foreign intelligence service probing the country’s networks for soft spots.

Read more at: ThreatPost