News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
April 24, 2014, 00:24:30
Pages: [1]   Go Down
  Print  
Topic: Pandemic of the Botnets 2014  (Read 245 times)
0 Members and 1 Guest are viewing this topic.
« on: January 08, 2014, 15:16:07 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 7978




FYI...

ZeroAccess takedown and TDSS aftermath
- http://blog.trendmicro.com/trendlabs-security-intelligence/zeroaccess-takedown-and-the-tdss-aftermath/
Jan 8, 2014 - "Early December last year, Microsoft – in cooperation with certain law enforcement agencies –  announced their takedown of the ZeroAccess operations. This development, however, also yielded an unexpected effect on another well-known botnet, in particular TDSS. ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit capability. This malware is typically downloaded from peer-to-peer (P2P) networks disguised as pirated movie titles. Similarly, TDSS is known for its rootkit technology to bypass and is noted for distributing other malware such as FAKEAV, DNS changers. Both botnets are involved in click fraud operations... certain ZeroAccess variants redirect to URLs associated with TDSS, suggesting that the two botnets share portions of their command-and-control (C&C) infrastructure. As we monitored the connection between the two botnets, we found that the number of ZeroAccess customer infections and communications significantly dropped the day after the takedown. Among those systems with ZeroAccess infections, only 2.8% attempted (but failed) to communicate with its C&C servers.
ZeroAccess activity from Nov–Dec 2013
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/Gelo-Zero-Access-Activity-01.jpg
During the same period, we observed that the click fraud operations of TDSS were noticeably affected. The number of TDSS communications related to click fraud dropped days after December 5, the date when Microsoft announced their takedown of the ZeroAccess botnet. These activities, however, suddenly picked up before the year ended, suggesting that the click fraud side of TDSS is still active and the takedown’s impact may be temporary.
TDSS click fraud activity from Nov–Dec 2013
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/Edited-TDSS-Click-Fraud-Activity-01.jpg
However, the number of TDSS infections and communications were not impacted by the takedown, which indicates that only its click fraud side was affected.
TDSS activity from Nov–Dec 2013
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/01/Gelo-TDSS-Activity-01.jpg
This significant decrease in TDSS click fraud operations has something to do with its connection to ZeroAccess’s own click fraud... since both botnets perform click fraud, they may have exchanged URL lists with each other to generate more money. Proof of this nefarious deal between these two notorious botnets can be seen in the redirection URLs used by ZeroAccess. When initiating click fraud, we noticed several ZeroAccess variants redirecting to URLs related to TDSS. These redirections in turn, increase the number of clicks gathered by TDSS thus creating more profit for its perpetrators. We also noticed that TDSS malware, in particular versions DGAv14 use the old ZeroAccess domain generation algorithm (DGA) module, while new ZeroAccess variants has adopted DGAv14 features. Though the ZeroAccess takedown was disruptive to TDSS money-making schemes, its infections and communications remained business-as-usual, which means the TDSS botnet is likely profiting from other botnets..."

 Evil or Very Mad  Sad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
.
« Reply #1 on: January 29, 2014, 04:30:09 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 7978



FYI...

Cross-platform java-bot
- https://www.securelist.com/en/blog/8174/A_cross_platform_java_bot
Jan 28, 2014 - "... we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465* to infect users with the malware. To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants... The bot is designed to conduct DDoS attacks from infected user machines..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2465 - 10.0 (HIGH)
Last revised: 01/08/2014

- https://net-security.org/malware_news.php?id=2693
29.01.2014 - "... the botnet formed by machines "zombified" by this particular Trojan was targeting a bulk email service."

 Evil or Very Mad  Sad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
.
« Reply #2 on: March 06, 2014, 05:37:57 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 7978



FYI...

Top Banking Botnets...
- http://www.secureworks.com/cyber-threat-intelligence/threats/top-banking-botnets-of-2013/
3 March 2014 - "... increase represents a challenge to financial institutions and their customers. Although banks have evolved their security measures to protect online transactions from fraud, attackers quickly adapt to these countermeasures and respond with sophisticated banking botnets. Many banking trojans are used for the same purposes, although not all banking trojans are created equal. Some botnets possess sophisticated plugin-based engines, while others are primitive yet effective... banking botnets' architecture ranges from a single centralized command and control (C2) server to a decentralized peer-to-peer (P2P) network...
Botnet activity for 2013: Most banking trojan activity observed by CTU researchers in 2013 originated from the botnets listed ...
Percentage of banking malware by botnet in 2013:
> http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.banking.botnets.1.png
... attackers preferred to target commercial banks, credit unions, and other financial institutions in developed countries with sizeable populations and wealthy residents in 2013.
> http://www.secureworks.com/assets/image_store/other-jpegs/lrg.intelligence.threats.banking.botnets.2.jpg
Attackers tend to avoid countries where international transactions are more difficult and require local intervention to launder the money. Though most campaigns in 2013 focused on traditional banking websites, targets also included institutions that facilitate high-volume, high-value transactions, such as Automated Clearing House (ACH) or Single Euro Payments Area (SEPA) credit transfers. Many campaigns targeted corporate bank accounts and payroll systems... The choice of banking trojan and its capabilities depends on the financial resources available to the attacker and the level of security implementations an institution adopts. While MITB is a necessity of any banking trojan, features like redirect and backconnect allows them to control fraudulent transactions. Features like screenshots and video captures not only capture important information but enable an attacker to determine victim behavior that can be emulated during a fraudulent transaction... Conclusion: The financial fraud marketplace is an increasingly organized entity. It is a service-based industry in which a wide variety of financial trojans, webinjects, and distribution channels are bought and sold. Attackers are also reaching new markets, constantly expanding their operations to locations where they can apply existing techniques. The Middle East, Africa, and Asia are increasingly targeted. In search of maximum return, attackers are targeting high-volume and high-value transaction services, such as ACH in the U.S. and SEPA credit transfers in Europe, and there is an increased focus on recruiting money mules. In many situations, financial institutions adopted custom security solutions to protect against threats. However, many of these security implementations are -ineffective- against the modern banking trojan. Mass-distributed trojans that target large numbers of financial institutions concurrently and that leverage third-party services dedicated to circumventing security measures present a significant security threat..."
(More detail at the secureworks URL above.)

 Evil or Very Mad  Sad
« Last Edit: March 12, 2014, 11:53:25 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
.
 
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.221 seconds with 20 queries.