Enterprise versus Broad-spectrum Internet Botnets: “Whats the difference between these massive botnets gobbling up sizable chunks of the Internet and those found inside the enterprise? Quite a bit actually.
Over the last couple of months I’ve been talking at a number of conferences and speaking with customers about the kinds of botnets we observe within enterprise networks as opposed to whats [...]“

(Via The Day Before Zero.)

Posted by Jason D. O’Grady

On November 2 a hacker was able to identify jailbroken iPhones unning SSH on T-Mobile’s Netherlands network via port scanning and used the vulnerability to change the wallpaper to display a message that demanded a 5 Euro ransom.

One November 7 another malware, dubbed ikee, “rickrolled” compromised iPhones by changing the wallpaper to a picture of Rick Astley (pictured).

Today a new, more nefarious worm that attacks jailbroken iPhone and iPod Touch devices has been discovered. According to Sophos this latest iPhone worm was discovered when a Dutch ISP reported unusual amounts of data traffic. Slashdot posted a link to a translation of a Dutch security blog post with more details.

There are some significant differences from the 5 Euro scam, the most notable of which is that this worm uses command-and-control like a traditional PC botnet. It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master.

Security.nl reports that the new worm changes the SSH root password making it more difficult to stop.

This worm attacks IP ranges from a larger range of ISPs, including UPC (Netherlands), Optus (Australia), and T-Mobile (Many). When an infected device is hooked up to a WiFi connection, the worm can spread more quickly to more IP addresses than on a typical 3G connection.

It’s difficult to tell if your iPhone has been compromised, but one symptom is that battery life becomes very, very short when the device is connected to WiFi, because the worm is generating so much network activity. The recommended method to remove this malware from your iPhone is to restore the Apple factory firmware using iTunes.

If you’ve jailbroken your phone and are running SSH, change the default password.  [Source:  http://blogs.zdnet.com/Apple/?p=5305&tag=nl.e019]

Atenção: Os fatos descritos no vídeo não ocorrem em sistemas Unix-like, como GNU/Linux, Free BSD, Open BSD e Mac OS.

Cyber criminals have found on another job, they could not on two big "friends". Human nature to trust with its properties, credulity, and negligence and curiosity is certainly the most powerful levers in the arsenal of every hacker. Even in a world of perfect technology to use crackers to show the human weaknesses, otherwise secure doors. The technology is not perfect and technical "mistakes" in the software, computer and telecommunications systems offer many opportunitiesbe exploited. These technical flaws are, what we call "weaknesses".

Weaknesses in the entire World Wide Web are used all the time, gain control of computers and entire networks, and access to confidential data. The vulnerabilities are found everywhere, but especially in their Internet browsers and plug-ins, the web server and application software, and even in the core units of the underlying network infrastructure of the Web.

Unfortunately, the list ofInternet threats do not end there. Significant deficiencies are found and used in many other areas, such as Office programs (like the ubiquitous Microsoft Word, Excel and Outlook), all operating systems, mobile devices, platforms and applications, network equipment, to name a few.

All of these technical deficiencies are doors that can be used to find a hidden way around your security software, and "drop" is a small program that will "hook" your computer at a particular botnet. Onceconnected, your computer will not show a problem, and even silently to your existing antivirus and firewall software, sometimes for a long time. Actually, that is the main objective of a high-profile hacker: a perfect piece of software that is able to make himself invisible land and plant deep into a computer system, but ready to be activated as required.

Fortunately, more and more desktop software vendors are now disclosing, as they are discovered vulnerabilities at the same timeWhen releasing the so-called security "patches", ie a software rewritten to an "update" that are the problem. Viewed from the perspective of the user to stay up-to-date on patches has become indispensable. And so have the tools to make a thorough "Vulnerability Assessment".

You can not fix a problem if you do not know, you have one! But equally important is to have a sure fire "solution" to resolve it quickly and easily. Some of the best anti-virus and Internet security suites integrate "Vulnerability Scanner"a list of operating system and installed applications, has been released for a "patch" shows.

If it sounds like a race between you and tries to doors, and the criminals who try to get through it, it is because that is precisely what it is! You could try to find tired and install updates one by one fall behind and in accordance to your desktop or laptop computer up to date. The longer was the vulnerabilities that are likely to be higher on some maliciousSoftware links to malicious Web sites, the easier the way in. And do not assume that you must lead an exotic program to run into problems. Only just a simple video could be met by one of the most popular players such as Flash, QuickTime or Windows Media Player, the door to use the code open on your computer to one of the many botnets in the Internet underworld hook.

In the selection of anti-virus and firewall software, vulnerability assessment placed on top of your must-haveList. Together with an efficient and easy to manage desktop firewall software, it will break your day to day maintenance a breeze, and your computer a much tougher nut to!

Cyber Warfare – Asghar Javed, The Nation

The Counter Intuitiveness of Cyber Security – JD, al Sahwa

Cyber War Technology – Mobashir Ahmed, Techno Platforms

The Real Hustle and the Psychology of Scam Victims – Frank Stajano, Light Blue Touchpaper

NZ Interloper to Commercialise UK Internet Blocking – John Ozimek, The Register

Iraq Cyber Attack and the DigiSEALs – Kevin Coleman, Defense Tech

U.S. Struggles with ‘Electronic Fratricide’ in Afghanistan – Nathan Hodge, Danger Room

Never Understimate The Power Of A Botnet – Gadi Evron, Dark Reading

Obama Said to Be Close Again to Naming Cybersecurity Chief – Jaikumar Vijayan, ComputerWorld

…considering the fact that no spam was received thus far. So, today I’m going to talk about koobface and google reader.

There’s a new scheme in town (thanks to researchers at Trend Micro now we know it too ). Spammers now send links that point to google reader accounts (it’s legitimate you have to think) and when they arrive…surprise!!! You don’t have the latest version of koobface…uh, sorry, Adobe Flash Player installed. So you are kindly asked to install it in order to see the video you so anxiously waited for. And if you do install it, guess what? You are going to have your very own zombie machine, part of the koobface botnet, which you cannot control. Isn’t social networking fun?

Gumblar has new face on ugly head | HostExploit News: “sqlsodbc.chm,”

(Via .)

Security firm chokes sprawling spam botnet | HostExploit News: “    WEDNESDAY NOV 11

Security firm chokes sprawling spam botnet

Tuesday, 10 November 2009 14:00

A botnet that was once responsible for an estimated third of the world’s spam has been knocked out of commission thanks to researchers from security firm FireEye. After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the leg”

(Via .)

How a Botnet Gets Its Name | HostExploit News: “    WEDNESDAY NOV 11

How a Botnet Gets Its Name

Tuesday, 10 November 2009 13:20

There is a new kid in town in the world of botnets – isn’t there always? A heavyweight spamming botnet known as Festi has only been tracked by researchers with Message Labs Intelligence since August, but is already responsible for approximately 5 percent of all global spam (around 2.5 billion spam emails per day), according to Paul Wood, senior analyst with Messagelabs, which keeps tabs on spam and botnet activity.

When a botnet like Festi pops onto the “

(Via .)

What does it really mean? It means that a botnet is sending similar phishing e-mails to many e-mail addresses in a relatively short time interval (thousands per hour). This kind of action can only be performed by a botnet because a) security mechanisms don’t allow a single IP address to send so many e-mails in such a small amount of time and b) it is too costly for the phisher to send so many e-mails through his connection.

Depending on how well-known is the phished institution, the wave can last from a couple of hours to days and even weeks. And sometimes they take breaks (a week or two) and then come back with even more phishing e-mails, from even more IP addresses.

The interesting (and frightening) fact is that people whose IP addresses are used to send spam don’t even know they have been infected and thus contribute to a phisher’s growing ROI.

Koobface Abuses Google Reader Pages | Malware Blog | Trend Micro: “

Botnet Exploits Hacked Sites Malicious Sites Malware Microsoft News Pharming Phishing Security Spam Vulnerabilities

Nov
9
Koobface Abuses Google Reader Pages
4:56 am (UTC-7)   |   by Jonell Baltazar (Advanced Threats Researcher)

We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter.

The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URL are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all too familiar fake YouTube page that hosts the Koobface downloader component.

 
Google Reader is a free service offered by Google that allows users to monitor websites for new content. It also allows the users to share content from the websites. Any user online can view”

(Via .)

We all know the botnets Cutwail, Bagle, Grum and Rustock, responsible for about 75% to 80% of all the spam globally, but now Festi is becoming the fifth botnet in the row of largest botnets.

Festi is gradually growing and is estimated to be responsible for between 3% to 6%, since the beginning of September 2009, of the spam that is distributed worldwide. In terms of volumes this will range between 1.5 tot 3 billions spam messages per day.

The spam messages focus on male enhancement type mails, with .cn domains in use that lead to a Canadian Pharmacy web site, and replica watches, with mostly .com domains in use.

Several sources reported a surge of the Bredolab trojan in the middle of October but MX Lab did noticed an real increase on October 27th.

The following graph shows the virus detection from October 7th until November 5th (from right to left) with small peaks at the beginning of October while at the end the virus outbreak really started for us. Virus detection and interception rate increased 5x to 6x times compared to the normal average.

We noticed Bredolab appearing in different campaigns where Facebook Password Reset Confirmation was perhaps one of the most widespread campaigns targeting social network users. But let’s not forget DHL tracking emails or the Western Union Payment.

So what is going on? Bredolab is being distributed mainly over the Cutwail (or Pandex) botnet. One of the reasons is that this botnet is trying to infect new computers to be added to the botnet as zombies. A larger botnet can be used to distribute even more emails containing mailware and infect even more systems or send out new large spam campaigns.

The Cutwail botnet activity decreased from sending around 45% of spam at the beginning of the year to only 11% in September. Other botnets increased in size and activity. One of the newer botnets is called Maazbem and was responsible for a large casino-related spam email campaign earlier in May 2009.

The malware authors of Cutwail are trying to make up some of those losses and to regain a dominant position in the botnet scene. So far, approximately 3.6 Billion Bredolab emails are likely to be send out each day, worldwide.

In order to do so they publish new variants on a regular base to avoid detection by AV engines. As we could see during the last few days, virus detection was sometimes very low when a new variant was out and the file was offered tyo Virus Total for inspection.

At Virus Total, a great tool by the way, we often noticed that the 41 AV engines did had difficulties in detecting the new variant resulting in less protection for an end user system. In some cases, not even 30% of the engines did detect the trojan after more than 6 hours when the variant first appeared.

It is clear that the traditional signature or heuristic based AV engines fail to offer a good security in a very short time frame. A time frame that is so important to detect and handle malware correctly. At MX Lab we can only recommend to deploy anti virus engines in multiple layers with a zero hour anti virus solution as the main and first line of defense.

Opachki, from (and to) Russia with love, (Tue, Nov 3rd): “Opachki is a pretty interesting link hijacking trojan that has been spreading quite a bit in last co …(more)…”

(Via SANS Internet Storm Center, InfoCON: green.)

Pricing Scheme for a DDoS Extortion Attack: ”

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the ‘on demand DDoS’ business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today’s cybercrime enterprise ‘vertically integrating‘ in order to occupy as many underground market segments as possible, all of which originally developed thanks to the ‘malicious economies of scale’ (massive SQL injections through search engines’ reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

What if their DDoS for hire business model is experiencing a decline? Would penetration pricing save them? What if they start enforcing a differentiated pricing model for their services through DDoS extortion?

Let’s discuss one of those groups that’s been actively attempting to extort money from Russian web sites since the middle of this summer. From penalty fees, to 30% discount if they want to request DDoS for hire against their competitors, a discount only available if they’ve actually paid the 10,000 rubles monthly extortion fee at the first place – this gang is also including links to the web sites of Russian’s Federal Security Service (FSB) and Russia’s Ministry of the Interior stating ‘in order to make it easy for the victims to contact law enforcement‘.

Sample DDOS extortion letter:
‘Hello. If you want to continue having your site operational, you must pay us 10 000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us.

The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50 000, and the protection of 50 000 bots is very, very expensive.

1-st payment (10 000 rubles) Must be made no later than DATE. All subsequent payments (10 000 rubles) Must be committed no later than 31 (30) day of each month starting from August 31. Late payment penalties will be charged 100% for each day of delay.

For example, if you do not have time to make payment on the last day of the month, then 1 day of you will have to pay a fine 100%, for instance 20 000 rubles. If you pay only the 2 nd date of the month, it will be for 30 000 rubles etc. Please pay on time, and then the initial 10 000 rubles offer will not change. Penalty fees apply to your first payment – no later than DATE’

Payment must be done on our purse Yandex-money number 41001474323733. Every month the number will be a new purse, be careful. About how to use Yandex-money read on www.money.yandex.ru. If you want to apply to law enforcement agencies, we will not discourage you. We even give you their contacts: www.fsb.ru, www.mvd.ru‘

It’s also worth pointing out that a huge number of ’boutique vendors’ of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of ‘aggregate-and-forget’ type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.

The future of DDoS extortion attacks, however, looks a bit grey due the numerous monetization models that cybercriminals developed – for instance ransomware, which attempts to scale by extorting significant amounts of money from thousands of infected users in an automated and much more efficient way than the now old-fashioned DDoS extortion model.

Related posts:
Botnet Communication Platforms
Custom DDoS Capabilities Within a Malware
A New DDoS Malware Kit in the Wild
Botnet on Demand Service
The DDoS Attack Against CNN.com
A Botnet Master’s To-Do List
Custom DDoS Attacks Within Popular Malware Diversifying
Using Market Forces to Disrupt Botnets
Web Based Botnet Command and Control Kit 2.0
DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks
The DDoS Attack Against Bobbear.co.uk
Russian Homosexual Sites Under (Commissioned) DDoS Attack

This post has been reproduced from Dancho Danchev’s blog.

“

(Via Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge.)

As a follow up to last week’s post regarding Mariposa infection research, Yamata Li of the Palo Alto Networks Threat Research Team has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client and actually decrypt them within Wireshark. The software is available to all as open source software under the GNU GPL license. We hope that it helps in doing further investigation and research into the Mariposa botnet. Special thanks to Defence Intelligence for their analysis on Mariposa.

Read on for information on installing and using the plugin.

Where to get it
The project is hosted here on Google Code.

How to install it
Unzip the mariposa.zip file. There will be 3 files – mariposa.dll, the source file, and packet-mariposa.c. Copy the DLL into the wireshark plugin directory. For example, d:\wireshark\plugin. The code was compiled based on Wireshark version 1.2.2. It may work on previous versions, but there are no guarantees.

How to use it
Restart Wireshark. Open a PCAP of the Mariposa command and control traffic. Locate the traffic which you want to decypt, right-click and select Decode As…

A dialog box will appear (on the Transport tab) and you will get a list on the right side of the dialog box. Search and choose MARIPOSA and click Apply.

“MARIPOSA” will now appear as the protocol for the associated traffic.

How to read it

In the Wireshark Packet Detail window, there is a tree named MARIPOSA Protocol, you will find Opcode, Seq, Original Data, Decrypted Data, BOT cmd, BOT cmd Content items. The Decrypted Data is probably the most interesting. Click on it to view the decrypted data.

Mariposa pulling a file down from Rapidshare

Receiving attack instructions

A confirmation message from the infected client to the command and control server - "Flood running"

source : http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/

Download from : http://code.google.com/p/botnetdecoding/

Hacked Facebook applications reach out to exploit sites in Russia: “All the social networking sites have issues with calling out to exploit pages. Usually what happens is that someone’s website gets hacked, and because they link to it from their MySpace or Facebook page, their contacts and friends sometimes get drawn to the attack sites. This is quite common, and we’ll write about it soon, but today’s story is a little different, in that these seem to be actual Facebook applications that have been hacked. (Please note that the application developer(s) are innocent victims too, and did not intend for their games to be hacked.)

“

(Via AVG Blogs | Roger Thompson.)

Botnet click fraud at record high: “

Move over, mules

Malware-infected computers are increasingly being used to perpetrate click fraud, according to a study released Thursday that found their contribution was the highest since researchers began compiling statistics on the crime.…

Offloading malware protection to the cloud

“

(Via The Register.)

How not to respond to a targeted malware attack: ”

“

(Via I had a backup. Really..)

“Brazil: a country rich in banking Trojans”: “Anyone who has ever analyzed malware designed to steal data from online banking customers will agree that Brazil is one of the biggest sources of so-called banking Trojans.”

(Via Latest Analysis for All Threats.)

Viruslist.com – The Cash Factory: “
 
Subscriptions | RSS Feeds | Discussions | Polls | Site Map

All Threats
Viruses
Hackers
Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2009  
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct    
Most Popular Analysis

Monthly Malware Statistics: September 2009

The Cash Factory

Online games and fraud: using games as bait

Keyloggers: How they work and how to detect them (Part 1)

Traps on the Internet
 
For Potential Authors

Want to become one of our authors and see your work published on Viruslist.com? Contact us!

  Home / Analysis
The Cash Factory

Oct 09 2009   |   comment

Sergey Golovanov
Igor Soumenkov
SPAM
The websites
The exploits
The bot
Password stealing Trojans
Downloading other malicious programs
The plan of attack
Conclusion
One more thing…
This article is a study of one spam email and illustrates the methods employed by today’s cyber criminals to create botnets and conduct mass spam "

(Via .)

Yes it does, at least according to a recently released report by the Business Software Alliance (BSA) which basically correlates data on the known piracy rates for particular countries and their malware infection rates, using public sources.

The rationale behind their claims is fairly simple – users relying on pirated copies of software also do not have access to the latest, often critical from a security perspective, updates issued by the vendors, and are therefore susceptible to client-side vulnerabilities.

How biased are BSA’s claims, or are the report’s claims in fact real, emphasizing on how millions of users relying on pirated Windows copies are usually the first to become part of a botnet?

Infection distribution data for the poster child of patch management failure on a global scale, Conficker, speaks for itself, at least in respect to the report’s claims. At the beginning of the year, “Symantec also made a connection between the high piracy rates of the most affected countries, and contributed their high infection rates to the user’s inability to obtain the released patches”:  Read the rest of the story:  http://blogs.zdnet.com/security/?p=4605&tag=nl.e019