FYI...Facebook kills Lecpetex botnet
July 8, 2014 - "Facebook said* police in Greece made two arrests last week in connection with a little-known spamming botnet called "Lecpetex," which used hacked computers to mine the Litecoin virtual currency
. As many as 50,000 Facebook accounts were affected, and as many as 250,000 computers worldwide, primarily in Greece, Poland, Norway, India, Portugal and the U.S., according to a blog post* on Tuesday from Facebook's Threat Infrastructure team. The social networking site described the difficulties in shutting down the botnet, whose creators taunted Facebook through messages left on servers that were part of its network. Those behind Lecpetex launched at least 20 spam campaigns between December 2013 and last month, affecting Facebook and other online services. Some of the victims received private messages containing a ".zip" attachment containing a Java JAR file or Visual Basic script. Those files, if executed, would then retrieve other malware modules stored on remote sites. The modules were either DarkComet, a widely used remote access tool that can harvest login credentials, or variants of software that mines the virtual currency Litecoin, the team wrote. By frequently refreshing and changing the malicious attachments, Lecpetex defeated Facebook's filters designed to stop such malware from being distributed. The malware would also automatically update itself to evade antivirus products... Facebook said it reached out to other infrastructure providers and law enforcement when it realized security software wasn't alone going to foil Lecpetex..."
___Cyber Armies Brute Force POS Systems
July 8, 2014 - "... identified a malicious automated network that targets Point-of-Sale software
using infected computers from around the world. The underground bot army, using the project name “@-Brt”, is using thousands of peaceful and unsuspecting infected users to brute force Point-of-Sales systems in an attempt to steal login credentials. This increased trend during the past two months has been in a stealth mode since the bot activities have successfully slide under the radar of both the end user and the targeted merchants
. Previous threat intelligence notifications by IntelCrawler confirmed that the interest of cybercriminals to offline and online (cloud-based / SaaS) Point-of-Sales has increased significantly of late as the use of automation and -bots- increases their chances of finding another gold mine like Target...Administrative Interface of “@-Brt” project
... The “@-Brt” project was released in May 2014 in the underground as a specific type of malware for brute forcing the Point-of-Sale credentials, using collected indicators like subnet IP ranges and commonly used operators, supervisor, and back office administrator logins, some of which are default manufactures passwords for famous Point-of-Sale equipment, as conveniently described in the official technical documentation from particular vendors... The bad actors distribution of the “@-Brt” botnet allows for active scanning of multiple IPv4 network ranges of specific TCP ports and parallel brute forcing of available remote administration protocols such as VNC, Microsoft RDP and PCAnywhere. The identified malware supports multithreading, which allows to speed-up the process of gaining unauthorized access to merchants for further data theft. IntelCrawler has also detected within the bot the concentration of some compromised merchants and the massive IPv4 scanning in network ranges of famous US Internet Service Providers such as AT&T Internet Services, Sonic.net and SoftLayer Technologies. There are several modifications of the “@-Brt” project, supported by several cybercriminals, using a bit different approaches to parallelism, potentially written by different authors for speed and timeouts optimization. After monitoring and infiltrating the bot network, IntelCrawler’s analysts have figured out the most commonly used passwords
for compromised Point-of-Sale terminals and geographical distribution of the infected hosts for cyberattacks.
Passwords distribution showed leaders with very low entropy – “aloha12345” (13%), “micros” (10%), pos12345 (8%), “posadmin” (7%) and “javapos” (6.30%). IntelCrawler recommends to strengthen passwords used for POS terminals, as well as to monitor suspicious incoming network traffic from the following countries:
July 9, 2014 - "... we found five C2 servers used by the BrutPOS botnet. Three of these servers are located on the same network in Russia; one of them is located in Iran. Only two of these servers remain active at this time...
126.96.36.199 Russia THEFIRST-NET Active188.8.131.52
184.108.40.206 Russia THEFIRST-NET Active 220.127.116.11