General Discussion

[ZeuS-SpyEye P2P use – banking Trojans]

FYI...

ZeuS-SpyEye P2P use – banking Trojans ...
- http://www.theregister.co.uk/2012/02/27/p2p_zeus/
27 Feb 2012 - "New variants of the Zeusbot/SpyEye cybercrime toolkit are moving away from reliance on command-and-control (C&C) servers towards a peer-to-peer architecture... Now cybercrooks have built functionality into Zeusbot/SpyEye that allows instructions to be distributed via P2P techniques as well, eliminating the need for C&C servers. Compromised systems are now capable of downloading commands, configuration files, and executables from other bots, a write-up by security researchers at Symantec explains*... tracking banking botnet activity and identifying the cybercrooks behind such networks is likely to become more difficult as a result of the architectural changes that have come with the latest version of ZeuS/SpyEye... Other changes to the malware creation toolkit include greater reliance on UDP communications – a stateless protocol that's harder to track and dump than TCP – as well as an extra encryption layer. Both ZeuS and SpyEye are best described as cybercrime toolkits that can be used for the creation of customised banking Trojans. The code base of the two former rivals was merged last year, leading to the creation of strains designed to target mobile banking customers..."
* http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

  

[DNS Changer gets extension for infected PCs fix]

FYI...

DNS Changer gets extension for infected PCs fix...
- https://krebsonsecurity.com/2012/03/court-4-more-months-for-dnschanger-infected-pcs/
Mar 6, 2012 - "Millions of PCs sickened by a global computer contagion known as DNSChanger were slated to have their life support yanked on March 8. But an order handed down Monday by a federal judge will delay that disconnection by 120 days to give companies, businesses and governments more time to respond to the epidemic. The reprieve came late Monday, when the judge overseeing the U.S. government’s landmark case against an international cyber fraud network agreed that extending the deadline was necessary “to continue to provide remediation details to industry channels approved by the FBI”..."
___

DNS Changer Eye Chart:
New: http://www.dcwg.org/detect/

- https://www.us-cert.gov/current/#dnschanger_malware
April 24, 2012
___

Tool available for those affected by the DNS-Changer
- https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199
Last updated: Feb 2, 2012 - "... a restart of Windows will be necessary after the execution of the tool and a successful repair."

Download Avira DNS Repair-Tool
- https://www.avira.com/files/support/FAQ_KB_Download_Files/EN/AviraDNSRepairEN.exe
___

- https://www.us-cert.gov/current/archive/2012/03/07/archive.html#operation_ghost_click_malware
updated March 7, 2012 - "... new deadline is July 9, 2012..."

 

[Zeus botnets disrupted]

FYI...

Zeus botnets disrupted ...
- https://blogs.technet.com/b/mmpc/archive/2012/03/25/microsoft-and-partners-disrupt-zeus-botnets.aspx?Redirected=true
25 Mar 2012 - "... This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71* to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot). Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat. The Zbot/Zeus threat has targeted the financial sector for quite some time... Millions of dollars of fraud are a result of this family of threat and it has taken cross-industry collaboration to take effective action against it. Microsoft has partnered with FS-ISAC, NACHA, Kyrus Tech, F-Secure and others to disrupt a large portion of the command and control infrastructure of various botnets using Zbot, Spyeye and Ice IX variants of the Zeus family of malware... MMPC is committed to partnering across the industry to help disrupt threats to the Internet and our customers. We will have more to share on Project MARS and related operations as we move forward."
* https://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx?Redirected=true

- https://www.f-secure.com/weblog/archives/00002337.html
March 26, 2012 - "... abuse.ch's ZeuS Tracker* are currently reporting 350 C&C servers online, so there's plenty more work to do done..."
* https://zeustracker.abuse.ch/index.php
___

- http://www.theinquirer.net/inquirer/news/2163487/microsoft-attacks-worst-zeus-botnets
Mar 26 2012 - "... Microsoft said it has detected more than 13 million suspected infections of this malware worldwide..."
- http://www.theregister.co.uk/2012/03/26/zeus_botnet_takedown/
March 26, 2012
- https://www.nytimes.com/2012/03/26/technology/microsoft-raids-tackle-online-crime.html
March 26, 2012

 

[Kelihos.B botnet sinkholed]

FYI...

Kelihos.B botnet sinkholed...
- http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html
March 28, 2012 - "... CrowdStrike has teamed up with security experts from Dell SecureWorks, the Honeynet Project and Kaspersky to take out a peer-to-peer botnet which we believe is the newest offspring of a family that has been around since 2007: Kelihos.B, a successor of Kelihos, Waledac and the Storm Worm. Traditionally, the botnets in this family are known for spamming, but the newest version is also capable of stealing bitcoin wallets from infected computers... Just like its brothers, Kelihos.B relies on a self-organizing, dynamic peer-to-peer topology to make its infrastructure more resilient against takedown attempts. It further uses a distributed layer of command-and-control servers with hosts registered in countries like Sweden, Russia, and Ukraine that are in turn controlled by the botmaster... We are working with our partners to inform ISPs about infections in their network and make sure that Kelihos.B remains safely sinkholed..."

- https://krebsonsecurity.com/2012/03/researchers-clobber-khelios-spam-botnet/
March 28, 2012

OS versions - botted w/Kelihos.B
- https://www.securelist.com/en/images/pictures/klblog/208193433.jpg
Bot locations:
- https://www.securelist.com/en/images/pictures/klblog/208193434.jpg

- http://www.darkreading.com/taxonomy/index/printarticle/id/232700418
Mar 28, 2012

- http://www.secureworks.com/research/threats/waledac_kelihos_botnet_takeover/
28 March 2012

- https://www.virustotal.com/file/c696f16e9ac1a803591a89ad881d456c84edb1244c00f20ad0653619909e3aae/analysis/
File name: db95341667fb5e5553a1cb0113e21205
Detection ratio: 13/42
Analysis date: 2012-03-27 19:51:52 UTC
- https://www.virustotal.com/file/9daefd6067d8ca7092c4e4ccd99232917766601964495971eaab569f8764da4c/analysis/
File name: 84cbcfababd4eafd1a8a4872b9169362
Detection ratio: 15/42
Analysis date: 2012-03-27 20:06:04 UTC

 

[Kelihos.B - still live and social]

FYI...

Kelihos.B - still live and social
- http://blog.seculert.com/2012/03/kelihosb-is-still-live-and-social.html
March 29, 2012 - "... Several weeks ago, Seculert discovered that Kelihos.B had found a new and "social way" to expand, using an already-known social worm malware*, but now it had started targeting Facebook users... Up to now Seculert has identified more than 70,000 Facebook users that are infected with the Facebook worm, and sending the malicious links to their Facebook friends...
[Pie chart/infections by country]: http://3.bp.blogspot.com/-h4itoyKTpV4/T3QgNunuEGI/AAAAAAAAAFo/s4gAjtY2SrQ/s1600/fbwormstats.png
... at the time of this writing, Seculert can still see that Kelihos is being spread using the Facebook worm. Also, there is still communication activity of this malware with the Command-and-Control servers through other members of the botnet. This means that the Kelihos.B botnet is still up and running. It is continuously expanding with new infected machines, and actively sending spam. Some might call this "a new variant", or Kelihos.C. However, as the new infected machines are operated by the same group of criminals, which can also regain access to the sinkholed bots through the Facebook worm malware, we believe that it is better to still refer this botnet as Kelihos.B."
* http://blog.emsisoft.com/2011/04/19/download-photoalbum-another-variant-of-i-got-u-surprise/

   

[550,000 strong Mac botnet]

FYI...

550,000 strong Mac botnet
- http://news.drweb.com/?i=2341&c=5&lng=en&p=0
April 4, 2012 - "... Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507)... Over 550,000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback* modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth..."
* http://vms.drweb.com/search/?q=BackDoor.Flashback

Charted: https://st.drweb.com/static/new-www/news/2012/april/map2.1.png

- https://www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
April 06, 2012 Kaspersky - "... we were able to log requests from the bots. Since every request from the bot contains its unique hardware UUID, we were able to calculate the number of active bots. Our logs indicate that a total of 600 000+ unique bots connected to our server in less than 24 hours. They used a total of 620 000+ external IP addresses... More than 98% of incoming network packets were most likely sent from Mac OS X hosts. Although this technique is based on heuristics and can’t be completely trusted, it can be used for making order-of-magnitude estimates. So, it is very likely that most of the machines running the Flashfake bot are Macs..."
___

- https://krebsonsecurity.com/2012/04/urgent-fix-for-zero-day-mac-java-flaw/
April 4th, 2012

Trojan-Downloader:OSX/Flashback.I
- https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
Detection Names: Exploit:Java/Flashback.I, Trojan-Downloader:OSX/Flashback.I, Trojan:OSX/Flashback.I, Backdoor: OSX/Flashback.I
Category: Malware
Type: Trojan-Downloader
Platform: OSX
"... Manual Removal... recommended only for advanced users..."

 

[Flashback botnet checker]

FYI...

Flashback botnet checker ...
- http://atlas.arbor.net/briefs/index#-1335098248
April 09, 2012 - "This resource allows a manual pasting of a OSX systems unique identifier into a form that will show if that machine is part of the Flashback botnet.
Analysis: This tool is provided by Dr. Web who first published details on the OSX Flashback infections. It does not scale well but allows for manual checking and can be helpful for end users."
Source: http://public.dev.drweb.com/april/
"Dear Mac OS user..."

- http://atlas.arbor.net/briefs/index#-824346427
April 09, 2012
___

Symantec OSX.Flashback.K Removal Tool
- http://www.symantec.com/security_response/writeup.jsp?docid=2012-041214-1825-99
April 12, 2012

F-secure Flashback Removal Tool
- http://www.f-secure.com/weblog/archives/FlashbackRemoval.zip
"... tool linked above has been updated April 12th..."

Infection by OSX version - chart
- https://www.f-secure.com/weblog/archives/ChitikaMacOSXVerions.png

> http://boards.cexx.org/index.php?topic=16875.msg83364#msg83364
April 12, 2012

 

[Flashback numbers -not- going down]

FYI...

Flashback numbers -not- going down - still over half a million
- http://www.h-online.com/security/news/item/Flashback-numbers-not-going-down-still-over-half-a-million-1547542.html?view=zoom;zoom=1
Graphic - 24 April 2012

- http://www.intego.com/mac-security-blog/new-flashback-variant-continues-java-attack-installs-without-password/
April 23, 2012

 

[Google: infected users affected by the DNSChanger malware]

FYI...

Google: infected users affected by the DNSChanger malware
- http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dnschanger.html
May 22, 2012 - "Starting today we’re undertaking an effort to notify roughly half a million people whose computers or home routers are infected with a well-publicized form of malware known as DNSChanger. After successfully alerting a million users last summer to a different type of malware, we’ve replicated this method and have started showing warnings via a special message* that will appear at the top of the Google search results page for users with affected devices...
> http://4.bp.blogspot.com/-EY9pz56oz_4/T7vgXYng_GI/AAAAAAAACHQ/aJ5P94lR3eo/s500/DNSChanger+warning.png
... Our goal with this notification is to raise awareness of DNSChanger among affected users. We believe directly messaging affected users on a trusted site and in their preferred language will produce the best possible results. While we expect to notify over 500,000 users within a week, we realize we won’t reach every affected user. Some ISPs have been taking their own actions, a few of which will prevent our warning from being displayed on affected devices. We also can’t guarantee that our recommendations will always clean infected devices completely, so some users may need to seek additional help. These conditions aside, if more devices are cleaned and steps are taken to better secure the machines against further abuse, the notification effort will be well worth it."
___

DNS Changer Eye Chart:
>> http://www.dcwg.org/detect/

 

[Zbot relentless - Anti-emulations]

FYI...

Zbot relentless - Anti-emulations
- http://www.symantec.com/connect/blogs/relentless-zbot-and-anti-emulations
July 3, 2012 - "A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed — with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection... The effort that has been made by the Trojan.Zbot malware writers is not limited to one, or even a couple of techniques. In most malware variants there are many simple or complicated techniques to help avoid detection... These techniques are part of ever-evolving malware techniques, especially from professional malware writers who invest a large amount of time researching new techniques to -evade- antivirus detection..."

Botnet infections in the enterprise
- http://atlas.arbor.net/briefs/index#730205984
July 03, 2012
The scope and costs of botnet infections require a change in tactics.
Analysis: While automation is critical, automated security systems such as IDS's, firewalls, vulnerability scanning solutions, etc. are -not- a fool-proof solution and must be augmented and run by skilled practitioners. Attackers know how to bypass many security systems, and without skilled practitioners in the loop, this trend will continue...

 

[DNSchanger shutdown]

FYI...

DNSchanger shutdown ...
- http://www.theregister.co.uk/2012/07/05/dnschanger_botnet_shutdown/
5 July 2012 - "An estimated 300,000 computer connections are going to get scrambled when the FBI turns off the command and control servers for the DNSChanger botnet on Monday...
DNSChanger reroutes DNS requests to its own servers and then pushes scareware and advertising to infected machines. Shutting it down, however, will leave computers unable to access websites and email properly without a fix being applied. The FBI had been due to shut down DNSChanger in March, but left it up for an extra three months to allow more time for users to disinfect their systems. Companies and governments have made a big effort to clean systems with the help of the DNS Changer Working Group (DCWG)*, which was set up by security experts to manage the problems. But according to the latest DCWG data, there are still 303,867 infected systems out there..."

* http://www.dcwg.org/detect/
"... quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections..."

 

[Grum botnet takedown]

FYI...

Grum botnet takedown ...
- http://blog.fireeye.com/research/2012/07/grum-botnet-no-longer-safe-havens.html
2012.07.18 - "... the Grum botnet has finally been knocked down. All the known command and control (CnC) servers are dead, leaving their zombies orphaned... According to data coming from Spamhaus, on average, they used to see around 120,000 Grum IP addresses sending spam each day, but after the takedown, this number has reduced to 21,505. I hope that once the spam templates expire, the rest of the spam with fade away as well..."

- http://h-online.com/-1647692
19 July 2012 - "... The botnet is believed to have been responsible for as much as 18% of total global spam, which amounts to approximately 18 billion messages a day..."

Spam Stats
- https://www.trustwave.com/support/labs/spam_statistics.asp
Week ending July 22, 2012

 

[APTs more prolific]

FYI...

APTs more prolific ...
- http://www.darkreading.com/taxonomy/index/printarticle/id/240004827
Aug 02, 2012 - "... cyberespionage malware and activity is far more prolific than imagined: (Joe Stewart - Dell Secureworks) has discovered some 200 different families of custom malware used to spy and steal intellectual property, with hundreds of attackers in just two groups out of Shanghai and Beijing... Stewart also unearthed a private security firm located in Asia - not in China - that is waging a targeted attack against another country's military operations, as well as spying on U.S. and European companies and its own country's journalists. He declined to provide details on the firm or its country of origin, but confirmed it's based in a nation that's "friendly" with the U.S... Stewart plans to continue hunting down APT attackers... The full report is here*."
* http://www.secureworks.com/research/threats/chasing_apt/
23 July 2012 - "...  tracking numerous digital elements involved in cyber-espionage activity:
• More than 200 unique families of -custom- malware used in cyber-espionage campaigns.
• More than 1,100 domain names registered by cyber-espionage actors for use in hosting malware C2s or spearphishing.
• Nearly 20,000 subdomains of the 1,100 domains (plus a significant number of dynamic DNS domains) are used for malware C2 resolution.
This quantity of elements rivals many large conventional cybercrime operations. However, unlike the largest cybercrime networks that can contain millions of infected computers in a single botnet, cyber-espionage encompasses tens of thousands of infected computers spread across hundreds of botnets, each of which may only control a few to a few hundred computers at a time. Therefore, each time an "APT botnet" is discovered, it tends to look like a fairly small-scale operation. But this illusion belies the fact that for every APT botnet that is discovered and publicized, hundreds more continue to lie undetected on thousands of networks..."
(More detail at the Secureworks URL above.)

[Godaddy DDoS attack in progress]

FYI...

Godaddy DDoS attack in progress
- https://isc.sans.edu/diary.html?storyid=14062
Last Updated: 2012-09-10 21:39:54 UTC ...(Version: 2)
Update: GoDaddy appears to make some progress getting services back online. The web site is responding again. DNS queries appear to be still timing out and logins into the site fail. (17:30 ET) GoDaddy is currently experiencing a massive DDoS attack. "Anonymous" was quick to claim responsibility, but at this point, there has been no confirmation from GoDaddy. GoDaddy only stated via twitter: "Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it." The outage appears to affect the entire range of GoDaddy hosted services, including DNS*, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy)..."

* Alternate DNS: http://208.69.38.205/

 

[GoDaddy's network status]

GoDaddy's network status:
- http://support.godaddy.com/system-alerts/
 
"Recently Resolved Issues
Resolved September 10, 2012 at 6:41 PM
... Known Issues
Updated:
06:22 MST
No issues to report"
___

- https://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410
"... We have determined the service outage was due to a series of internal network events that corrupted router data tables... We have implemented measures to prevent this from occurring again. At no time was any customer data at risk or were any of our systems compromised...
- Scott Wagner Go Daddy CEO"

.