General Discussion

[Ghost Click - DNSChanger]

FYI...

Ghost Click - DNSChanger arrests ...
- http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911
11/09/11 - "Six Estonian nationals have been arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other viruses... DNSChanger was used to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity. When users of infected computers clicked on the link for the official website of iTunes, for example, they were instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software..."
(More detail at the FBI URL above.)
> http://www.fbi.gov/news/stories/2011/november/malware_110911/image/dns-malware-graphic

Video: http://www.symantec.com/avcenter/reference/drive-by-pharming-animation.html
___

How to check if you are a victim...
> http://countermeasures.trendmicro.eu/how-to-check-if-you-are-a-victim-of-operation-ghost-click/
Nov. 9, 2011

 

[Etrade DDoS attack]

FYI...

Etrade DDoS attack ...
- http://www.theregister.co.uk/2012/01/05/etrade_in_ddos_attack/
January 5, 2012 - "... online broker ETrade, has been the target of a sustained malicious offshore generated cyber attack. The denial-of-service attack resulted in thousands of emails flooding the broking site, prompting a cessation of services from Christmas Eve to the New Year period. According to a Fairfax report*, offshore Etrade clients were the worst affected with some countries unable to access accounts for almost two weeks. An ETrade spokesperson confirmed that while overseas clients were more profoundly affected, Australian clients had intermittent access to their accounts... The Sydney Morning Herald reported** that St George customers were also affected by the attack as its online trading service is supplied by Etrade."
* http://www.theage.com.au/business/cyber-attack-strands-etrade-customers-20120104-1pl3x.html
January 5, 2012
** http://www.smh.com.au/business/st-george-service-hit-by-etrade-cyber-attack-20120105-1pmrs.html
January 6, 2012

- http://www.theage.com.au/business/cyber-attack-strands-etrade-customers-20120104-1pl3x.html
Jan 5, 2012 - "... While a denial-of-service attack prevents customers and the business from trading, it can also mask other illegal activities. Observers say businesses that have denial-of-service attacks not only lose the value of the business they would have conducted but also goodwill and reputation with the customer base..."

- http://www.darkreading.com/taxonomy/index/printarticle/id/232301367
Jan 05, 2012

Global Denial of Service
- http://atlas.arbor.net/summary/dos
Summary Report - (Past 24 hours)

 

[Carberp on Facebook]

FYI...

Carberp on Facebook
- http://www.theregister.co.uk/2012/01/18/carberp_steals_e_cash_facebook/
January 18, 2012 - "... Carberp, like its predecessors ZeuS and SpyEye, infects machines by tricking punters into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites. A new configuration of the Carberp Trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer*, can be considered something of an escalation. The Carberp variant replaces any Facebook page the user navigates to with a -fake- page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page asks the mark for their first name, last name, email, date of birth, password and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account... Trusteer warns the cash voucher attack is in some ways worse than credit card fraud, because with e-cash it is the account-holder, -not- the financial institution, who assumes the liability for fraudulent transactions..."
* http://www.trusteer.com/blog/carberp-steals-e-cash-vouchers-facebook-users

Bot blackmails Facebook users
- http://h-online.com/-1417073
19 January 2012 >> http://www.h-online.com/security/news/item/Bot-blackmails-Facebook-users-1417073.html?view=zoom;zoom=1
___

Some Botnet Stats
- http://www.abuse.ch/?p=3294

Lies, Damn Lies, and Botnet Size
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100705

 

[Koobface goes silent]

FYI...

Koobface goes silent...
- http://www.reuters.com/article/2012/01/19/us-facebook-cybersecurity-idUSTRE80I05720120119
18 January 2012 - "... a pair of researchers on Tuesday published the names, aliases and photographs of a gang they accused of running a criminal enterprise known as Koobface that had primarily targeted Facebook after it cropped up in 2008. German security researchers Jan Droemer and Dirk Kollberg said that servers that ran the Koobface operation stopped responding on Tuesday morning after they released an in-depth report via Kollberg's employer, the UK anti-virus software maker Sophos*... the Koobface gang had continued to target other social networks as a long-running FBI probe failed to result in arrests in Russia... None of the five alleged members of the hacking group could immediately be traced to the reported office addresses or phone numbers in St Petersburg, Russia... The two German researchers said they suspected that the hackers had been working out of a third location in St. Petersburg..."
* http://nakedsecurity.sophos.com/2012/01/17/how-koobface-malware-gang-unmasked/
January 17, 2012

- https://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?ref=technology
January 16, 2012 - "... These groups tend to operate in countries where they can work unmolested by the local authorities, and where cooperation with United States and European law enforcement agencies is poor... Russia, in particular, has a reputation as a hacker haven, although it has pursued several prominent cases against spammers recently... The Russian Embassy in Washington said it does not have any information regarding this group and that American law enforcement officials had never contacted the embassy on this issue..."
___

Kelihos botnet -aka- Waledac
- http://blogs.technet.com/b/microsoft_blog/archive/2012/01/23/microsoft-names-new-defendant-in-kelihos-case.aspx
23 Jan 2012 - "... Although the Kelihos botnet remains inactive since the successful takedown in September, thousands of computers are still infected with its malware. Please visit: http://www.support.microsoft.com/botnets for free information and tools to clean your computer from malicious software..."

- https://krebsonsecurity.com/2012/01/microsoft-worm-author-worked-at-antivirus-firm/
January 24, 2012
- http://www.gfi.com/blog/the-microsoft-kelihos-tango-continues/
January 24, 2012

 

[Carberp targets French broadband users]

FYI...

Carberp targets French broadband users...
- https://www.trusteer.com/blog/internet-not-free-%E2%80%93-carberp-targets-french-broadband-subscribers
January 25, 2012 - "... recently discovered a configuration of Carberp that targets Free, a French broadband Internet service provider (ISP). The attack is designed to steal debit card and bank information using a Man in the Browser (MitB) attack. Free offers an ADSL service, called Freebox, to its customers. When subscribers visit their online account page Carberp launches an HTML Injection attack after the user has logged-in. The victim is presented with a page that claims Free is having a problem processing their monthly subscription payments with the financial institution, and requests that the user update their payment account details... The malware then asks the user to submit their payment card number, expiration date, security code (CVV2), bank name, bank address, zip code and city. The victim is told that this information must be updated in order to make monthly payments and maintain their service... This latest Carberp attack is another example of fraudsters moving downstream from online banking applications to web sites that process debit and credit card payments. By launching MitB attacks that target customers of third party service providers, rather than the banks themselves, fraudsters can prey on the trust established between the victim and a non-financial entity like an ISP..."

- http://www.infosecurity-magazine.com/view/23321/carberp-loading-new-generation-of-financial-malware-on-the-rise/
18 January 2012

- http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Carberp#techdetails_link
___

- http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity
Jan 26, 2012 - "... According to our data Carberp’s main activity is confined to the region of Russia and the former Soviet republics, and this activity centered on fraud targeting the major Russian banks and stealing money from RBS (Remote Banking Service) systems... The Russian Federation is the country where the largest number of installations of Carberp has been seen*... Another interesting fact concerns a new DDoS plugin (Win32/Mishigy.AB) for Carberp. This DDoS plugin was developed in Delphi 7 and based on the network components from the Synapse TCP/IP library. Synapse components are very popular among cybercriminals for the creation of DDoS bots... Carberp is one of the biggest botnets in Russian Federation and total number of active bots is estimated to number millions of infected hosts..."
* http://blog.eset.com/wp-content/media_files/stat_country.png

 

[Drive-by downloads and Blackhole]

FYI...

Drive-by downloads and Blackhole
- http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-09.aspx
26 Jan 2012 - "... The most popular drive-by malware we’ve seen recently is called Blackhole. It’s marketed and sold to cybercriminals in a typical professional crimeware kit that provides web administration capabilities. But it offers sophisticated techniques to generate malicious code. And it’s very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious... Blackhole mainly spreads malware through compromised websites that redirect to an exploit site, although we’ve also seen cybercriminals use -spam- to redirect users to these sites. This year we’ve seen numerous waves of attacks against thousands of legitimate sites. We’ve also noticed cybercriminals abusing a number of free hosting sites to set up new sites specifically to host Blackhole. Just like the Blackhole kit itself, the code injected into the legitimate sites is heavily obfuscated and polymorphic, making it harder to detect. The typical payloads we see from Blackhole exploit sites include:
    Bot-type malware such as Zbot (aka Zeus)
    Rootkit droppers (for example TDL and ZeroAccess)
    Fake antivirus
Typically, the malware on these sites target Java, Flash and PDF vulnerabilities. At SophosLabs we saw a continual bombardment of new PDF, Flash, Java and JavaScript components each day for several months at the end of 2011. We’ve seen a huge rise in the volume of malicious Java files, virtually all of it from exploit sites such as Blackhole..."

 

[Spearphishing attacks - gov't related targets worldwide]

FYI...

Spearphishing attacks - gov't related targets worldwide
Malware backdoors government-targeted kit 'using Adobe 0-days'
- http://www.theregister.co.uk/2012/02/01/spear_phishing_rats/
1 Feb 2012 - "... spearphishing attempts, which have been levied against several government-related organisations worldwide, try to use alleged unfixed security flaws in Adobe software to implant a Trojan on compromised machines - ultimately opening a backdoor for hackers to take over systems. Once loaded, the malware also cunningly attempts to escape detection by posing as a benign Windows Update utility..."

> http://blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html
Jan 31, 2012 - "... Seculert and Zscaler identified similar command and control (C&C) beacon patterns... matching the domain registration info of some of the C&C observed (for example, siseau .com, vssigma .com, etc.), we linked the new "MSUpdater" Trojan to previous attacks, probably conducted by the same group... The targeted attacks... share a few similar technical parameters (thus, regarded as created by the same group of attackers) arrive in emails with a malicious PDF attachment..."

> http://research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html
Jan 31, 2012 - "... we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present... The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C)... The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan. Correlating this information with open-source intelligence (OSINT), we were able to find other reports of this Trojan within past targeted incidents, as well as a link to other incidents and compromise indicators..."
___

- http://www.h-online.com/security/news/item/MSUpdate-trojan-attacked-companies-in-the-defence-sector-1427605.html?view=zoom;zoom=1
3 February 2012

 

[dead]

FYI...

Kelihos botnet remains very much dead after all
- http://arstechnica.com/business/news/2012/02/kelihos-botnet-remains-dead-after-all.ars
Feb 3, 2012
___

Kelihos botnet resurrected...
- http://arstechnica.com/business/news/2012/02/slain-kelihos-botnet-still-spams-from-beyond-the-grave.ars
Feb 1, 2012 - "A botnet capable of delivering almost four billion spam messages per day has been confirmed resurrected — more than four months after Microsoft celebrated its untimely demise. Researchers with Kaspersky Lab* reported on Tuesday that Kelihos, a peer-to-peer botnet that also goes by the name Hlux, continues to spew spam in a variety of languages...
Update: After this article was published, Microsoft sent the following statement:
"... Microsoft is working with Kaspersky to investigate this question and will provide more information when it becomes available..."
* http://www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques
Jan 31, 2012

 

[Cellphone bots]

FYI...

Cellphone bots ...
- http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet
Updated: 09 Feb 2012 - "... The -malware- was discovered on a third party marketplace (not the Android Market) and is bundled with a legitimate application for configuring phone settings. Trojanized applications are a well known infection vector for Android malware... the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands... the botmaster has been operating at these rates since September 2011. The botnet targets mobile users in China... Revenue generation through premium SMS, telephony, and video services is also limited to the networks of China's two largest mobile carriers... Upon running the Trojanized application, -both- the original clean software and a malicious application (Android.Bmaster*) are installed. Once the malware is installed, an outbound connection from the infected phone to a remote server is generated... SMS numbers in China tend to cost around $0.15 to $0.30 per message, and while this may not seem particularly expensive, it quickly adds up when you factor in the number of the active, infected devices on the botnet and how most users likely would not notice the infection right away. Taking our two example dates as the lower and upper bounds of the number of active infected devices, we can see the botmaster is generating anywhere between $1,600 to $9,000 per day and $547,500 to $3,285,000 per year the botnet is running..."
* http://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1823
Last revised: 09/07/2011
CVSS v2 Base Score: 7.2 (HIGH)
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service...

 

[Citadel botnets]

FYI...

Citadel botnets... rapid growth
- https://krebsonsecurity.com/2012/02/collaboration-feuls-rapdid-growth-of-citadel-trojan/
Feb 9, 2012 - "... researchers there said that they’d observed at least five new versions of Citadel since first spotting the malware on Dec. 17, 2011. Seculert’s Aviv Raff said that means the miscreants behind Citadel are pushing out a new version of the Trojan about once a week..."
- http://blog.seculert.com/2012/02/citadel-open-source-malware-project.html
Feb 8, 2012 - "A few weeks ago, Brian Krebs reported* on Citadel, a new variant of the Zeus Trojan. Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem... They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware... Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution - an open-source malware... Seculert's Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011. The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets**..."
** http://3.bp.blogspot.com/-rL0YPxLvhHw/TzLb31lbmXI/AAAAAAAAAEs/VUE5fuNvv0A/s1600/citadelstats.png
(Infection rate per country of several Citadel botnets, infecting over 100,000 machines)

* https://krebsonsecurity.com/2012/01/citadel-trojan-touts-trouble-ticket-system/
Jan 23rd, 2012 - "... Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity... The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation..."

 

[Waledac malware returns... with password-stealing]

FYI...

Waledac malware returns... with password-stealing ...
- https://www.computerworld.com/s/article/print/9224324/Waledac_malware_returns_after_two_years_with_password_stealing_capabilities
Feb 16, 2012 - "A new version of the Waledac malware has been spotted on the Internet, but unlike previous variants, which were mainly used for spamming purposes, this one steals various log-in credentials and BitCoins, a type of virtual currency... researchers from network security firm Palo Alto Networks announced in a blog post*... it also steals FTP, POP3 and SMTP user passwords, as well as .dat files for BitCoin wallets. This is the first time that Palo Alto Networks' firewall products have spotted Waledac-related activity since the original botnet was shut down two years ago... the new Waledac version is being distributed through Web sessions, probably with the help of exploits hosted on compromised websites..." 
* http://www.paloaltonetworks.com/researchcenter/2012/02/waledac-returns%E2%80%A6and-its-serving-more-than-spam/
"... it is important to note that this is a -new- variant of the botnet, and not the original version..."

 

[DNS Changer working group]

FYI...

DNS Changer working group ...
- https://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/
"... Computers still infected with DNSChanger are up against a countdown clock. As part of the DNSChanger botnet takedown, the feds secured a court order to replace the Trojan’s DNS infrastructure with surrogate, legitimate DNS servers. But those servers are only allowed to operate until March 8, 2012. Unless the court extends that order, any computers still infected with DNSChanger may no longer be able to browse the Web... there are still -millions- of PCs infected with DNSChanger... Even if the DNS Changer working group manages to get the deadline extended, the cleanup process will likely take many years. At least, that’s been the experience of the the Conficker Working Group, a similar industry consortium that was created to help contain and clean up infections from the infamous Conficker Worm. That working group was formed in 2009, yet according to the group’s latest statistics, nearly 3 million systems remain infected with Conficker. Given the Conficker Working Group’s experience, shutting down the surrogate DNS network on March 8 may actually be a faster — albeit more painful — way to clean up the problem... Home users can avail themselves of step-by-step instructions at this link* to learn of possible DNSChanger infections..."
* DNS Changer Working Group (DCWG) - Checking for DNS Changer >> http://dcwg.org/checkup.html

DNS Changer Eye Chart:
DNS configuration test pages (Eye-chart):
  •  http://dns-ok.de/
  •  http://dns-ok.fi
  •  http://dns.ax
  •  http://dns-ok.us ...

 

[Cutwail botnet is back]

FYI...

Cutwail botnet is back ...
- http://h-online.com/-1437644
20 Feb 2012 - "According to M86 Security*, the infamous Cutwail botnet (aka Pandex, Mutant and Pushdo) appears to have been reactivated.... in the past few weeks they have registered several waves of HTML emails that were infected with malicious JavaScript and probably originated from Cutwail-infected PCs... the volume of infected emails was 50 times higher between 23 and 25 January, and three further waves from 6 February were found to be as much as 200 times higher. Infected emails had subject lines such as "FDIC Suspended Bank Account", "End of August Statement" and "Scan from Xerox WorkCentre". The embedded JavaScript code tries to inject malware into computers through various security holes in, for example, old versions of Acrobat Reader. In some cases, the "Cridex" data-stealing trojan has been installed. The botnet uses the "Phoenix Exploit Kit", which... achieves infection rates of more than fifteen per cent. In early January**, details of the operators of the Cutwail botnet became public."
* http://labs.m86security.com/2012/02/cutwail-drives-spike-in-malicious-html-attachment-spam/

** http://h-online.com/-1403253

 

[DNS Changer - Surrogate servers Operation extention Request filed]

FYI...

DNS Changer - Surrogate servers Operation extention Request filed
- https://krebsonsecurity.com/2012/02/feds-request-dnschanger-deadline-extension/
Feb 22, 2012 - "... In a Feb. 17 filing with the U.S. District Court for the Southern District of New York, officials with the U.S. Justice Department, the U.S. Attorney for the Southern District of New York, and NASA asked the court to extend the March 8 deadline by more than four months to give ISPs, private companies and the government more time to clean up the mess. The government requested that the -surrogate- servers be allowed to stay in operation until July 9, 2012. The court has yet to rule on the request, a copy of which is available here (PDF)*... the six Estonian men arrested and accused of building and profiting from the DNSChanger botnet are expected to be extradited to face computer intrusion and conspiracy charges in the United States..."
* http://krebsonsecurity.com/wp-content/uploads/2012/02/dnschangerextension.pdf
___

DNS Changer Working Group (DCWG) - Check for DNS Changer >> http://dcwg.org/checkup.html

DNS Changer Eye Chart: http://dns-ok.us/
___

- http://www.internetidentity.com/news/iid-press-releases/520-release-iid-reports-half-of-fortune-500-and-major-us-government-agencies-infected-with-dnschanger-malware
Feb 2, 2012 - "... IID found at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012..."

- https://www.computerworld.com/s/article/9224491/Feds_request_DNS_Changer_extension_to_keep_400K_users_online
Feb 22, 2012 - "... the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web last month. Each IP address represented at least one computer, and in some cases, numerous machines..."

   

[DDoS attacks - H2 2011]

FYI...

DDoS attacks - H2 2011   
- http://www.securelist.com/en/analysis/204792221/DDoS_attacks_in_H2_2011#p1
02.22.2012 - "... launched from computers located in 201 countries around the world... DDoS attack sources have changed... new leaders: Russia (16%), Ukraine (12%), Thailand (7%) and Malaysia (6%)... zombie computers from 19 other countries ranges between 2% and 4%..."
DDoS traffic sources by country – H2 2011: http://www.securelist.com/en/images/vlill/gar_nam_pic04_en.png