General Discussion

[Nitol botnet takedown]

FYI...

Nitol botnet takedown
- https://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx?Redirected=true
13 Sep 2012 - "... the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware with the potential for targeting millions of innocent people. Codenamed “Operation b70,” this legal action and technical disruption proceeded from a Microsoft study which found that cybercriminals infiltrate unsecure supply chains to introduce counterfeit software embedded with malware for the purpose of secretly infecting people’s computers. In disrupting these malware strains, we helped significantly limit the spread of the developing Nitol botnet... On Sept. 10, the court granted Microsoft’s request for an ex parte temporary restraining order against Peng Yong, his company and other John Does. The order allows Microsoft to host the 3322 .org domain, which hosted the Nitol botnet, through Microsoft’s newly created domain name system (DNS). This system enables Microsoft to block operation of the Nitol botnet and nearly 70,000 other malicious subdomains hosted on the 3322 .org domain, while allowing all other traffic for the legitimate subdomains to operate without disruption. This action will significantly reduce the impact of the menacing and disturbing threats associated with Nitol and the 3322 .org domain, and will help rescue people’s computers from the control of this malware... Cybercriminals have made it clear that anyone with a computer could become an unwitting mule for malware; today’s action is a step toward preventing that... If you believe your computer might be infected with malware, we encourage you to visit http://support.microsoft.com/botnets as this site offers free information and tools to analyze and clean your computer..."

- https://krebsonsecurity.com/2012/09/malware-dragnet-snags-millions-of-infected-pcs/
Sep 19, 2012 - "... Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home to those 70,000 malicious domains... graphic* provided by Microsoft..."
* https://krebsonsecurity.com/wp-content/uploads/2012/09/mal3322.png
___

- https://blog.damballa.com/archives/1806
Sep 13, 2012 - "... Nitol... employs multiple domains from several free dynamic DNS providers, including -other- four-digit .ORG domain services such as 6600 .org, 7766 .org, 2288 .org and 8866 .org..."

(Highly recommend blocking those addresses also, if you haven't already.)

   

[ZeroAccess botnet]

FYI...

ZeroAccess botnet ...
- http://www.f-secure.com/weblog/archives/00002430.html
Sep 20, 2012 - "... ZeroAccess is a very large botnet and there are millions of infections globally. Here's the USA:
> http://www.f-secure.com/weblog/archives/ZeroAccessGoogleEarthUSA756x464.png
... Here's Europe:
> http://www.f-secure.com/weblog/archives/ZeroAccessGoogleEarthEurope756x464.png ..."

- http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/
Sep 19, 2012 - "... ZeroAccess* uses a peer-to-peer network to download plugin files which carry out various tasks designed to generate revenue for the botnet owners. Our researchers monitored this network for a period of two months to discover where in the world the peers were located and what kind of files the botnet was being instructed to download. We found the IP addresses of infected machines from a total of 198 countries... Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining..."
* https://sophosnews.files.wordpress.com/2012/09/image001.jpg?w=640

- https://isc.sans.edu/diary.html?storyid=12079
Last Updated: 2011-11-22 - "... The following tools were tested and worked quite fine against ZeroAccess. Kaspersky TDSSKiller has a good feature to offer a quarantine option if you want.
Kaspersky: http://support.kaspersky.com/downloads/utils/tdsskiller.zip
WebRoot: http://anywhere.webrootcloudav.com/antizeroaccess.exe
McAfee: http://vil.nai.com/images/562354_4.zip
Ah yes, remember that it will be cleaning one trojan, and that you still have at least a ZeuS running on the system..."

    

[New Russian DIY DDoS-bot spotted in-the-wild]

FYI...

New Russian DIY DDoS-bot spotted in-the-wild
- http://blog.webroot.com/2012/09/28/new-russian-diy-ddos-bot-spotted-in-the-wild/
Sep 28, 2012 - "...  a recently released DIY DDoS bot, which according to its author is a modification of the Dirt Jumper DDoS bot*.
More details:
Sample screenshot of the command and control interface of the Russian DIY DDoS Bot:
> https://webrootblog.files.wordpress.com/2012/09/diy_russian_ddos_bot_01.png
... The bot supports SYN flooding, HTTP flooding, POST flooding and the special Anti-DDoS protection type of flooding. It has also built-in anti-antivirus features allowing it avoid detection by popular host-based firewalls, next to a feature allowing it to detect and remove competing malware bots from the system, preserving its current state for the users of the bot. Moreover, according to its author, it will not work under a virtual machine preventing potential analysis of the malicious binaries conducted by a malware researcher. Another interesting feature is the randomization of the HTTP requests using multiple user-agents in an attempt to trick anti-DDoS protection on the affected hosts. Apparently, the coder behind this malware bot, claims to have the source code of the Dirt Jumper DDoS kit, which we cannot verify for the time being given the fact that the source code for this bot isn’t currently circulating in the wild, and that there are zero advertisements within the cybercrime ecosystem offering to sell access to it..."
* http://ddos.arbornetworks.com/2012/05/dirt-jumper-ddos-bot-increasingly-popular/

 

[Botmasters recruited for attack on Banks]

FYI...

Botmasters recruited for attack on Banks ...
- http://blogs.rsa.com/rsafarl/cyber-gang-seeks-botmasters-to-wage-massive-wave-of-trojan-attacks-against-u-s-banks/
Oct 4, 2012 - "... a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date. By analyzing the details of the gang’s announcement, RSA has managed to link the cybergang’s weapon of choice to a little-known, proprietary Gozi-like Trojan, which RSA has dubbed “Gozi Prinimalka”... According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios. Previous incidents involving this Trojan, handled by RSA and other information security vendors, appear to corroborate the gang’s claims that since 2008 their Trojan has been at the source of siphoning US$5 Million from American bank accounts. Gozi Prinimalka’s similarity to the Gozi Trojan, both in technical terms and its operational aspects, suggests that the HangUp Team — a group that was previously known to launch Gozi infection campaigns — or a group closely affiliated with it, may be the troupe behind this ambitious scheme. If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two... This cyber intelligence notice is based upon ongoing research and analysis by the RSA FraudAction research team. As part of our ongoing cooperation with the security community, RSA has shared details of this information with U.S. law enforcement as well as with its RSA FraudAction Global Blocking Network partners and security teams from the partially known list of potential target U.S. banks. Still, it’s important to note that cyber criminals often make claims they do not necessarily act upon... Security teams should consider the potential urgency and applicability of this intelligence within their specific organization’s threat matrix and risk profile."
___

Akami attack monitor:
- http://www.akamai.com/html/technology/dataviz1.html
Oct 6, 2012 15:07 ET
50.5% above normal...
___

Automated Toolkits named in massive DDoS attacks against U.S. Banks
- https://threatpost.com/en_us/blogs/automated-toolkits-named-massive-ddos-attacks-against-us-banks-100212
Oct 2, 2012

- http://atlas.arbor.net/briefs/index#-1177347673
Severity: High Severity
Oct 01, 2012
Heavy DDoS attack on banks have taken place. Attribution is uncertain.
Analysis: The attackers used a PHP-based botnet for most of the attacks. The attacks were typically sourced from compromised web applications running vulnerable PHP code. The attackers typically upload a "web shell" to such a vulnerable site and then are able to upload, download and perform other operations on the system. Since such server systems typically have more bandwidth than the usual malware target (a Windows system on a broadband line) the attackers are able to increase their attack volume a great deal more quickly than through the use of windows malware.
Source: http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html

 

[ZeroAccess P2P - not C&C]

FYI...

ZeroAccess P2P - not C&C
- http://blog.trendmicro.com/trendlabs-security-intelligence/under-the-hood-of-bkdr_zaccess/
Nov 6, 2012 - "... ZACCESS, which is also known as ZeroAccess or SIREFEF. It can push fake applications and other malware onto infected systems, while using its rootkit capabilities to hide from detection. The table below shows Japan places 2nd in terms of infection ranking, followed by US. In fact, Japan Regional TrendLabs received a lot of queries from our customers, which also triggered our in-depth analysis.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/zaccess-chart.png
Backdoors typically establish each session by connecting from affected PCs to command-and-control (C&C) servers in order to receive commands from attackers. However, it’s not the case that a corresponding session is established from the C&C servers to affected PCs. Based on our analysis of BKDR_ZACCESS, it establishes bidirectional connections with other infected machines using its P2P functionality. This helps reduce the load on its C&C servers, as well as making the network more robust against a potential takedown of its C&C servers. This allows it to send and receive commands between affected PCs and not using any C&C servers.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/ZACCESSp2p.jpg
Because of this, BKDR_ZACCESS can both be a “client” and a “server”. When a PC affected by BKDR_ZACCESS functions as server, it sends commands or other malware as if it was a C&C server. On the other hand, it functions as a client, it connects to IP addresses of affected PCs in its configuration file and update the file. It can then attempt to download and execute other malware. Thus, once infected by BKDR_ZACCESS, affected users can spread infections to other affected PCs. At the same time, they are affected by this malware as a victim... there were a total of almost 35 million active connections between the servers and affected PCs...  Some variants of ZACCESS can send spam mails. It is possible that this number is in some underground markets related to cybercrime. In addition, the attackers can use this number to gauge which tactics are successful in infecting users..."

  

[Botnet hidden in the Tor network]

FYI...

Botnet hidden in the Tor network
- http://h-online.com/-1765530
10 Dec 2012 - "The Security Street blog* has found a botnet client, the operator of which is hiding behind the Tor network. This trick makes the work of security experts and criminal prosecutors much more difficult. The malicious botnet software, called "Skynet", is a trojan that Security Street found on Usenet. At 15MB, the malware is relatively large and, besides junk files intended to cover up the actual purpose of the download file, includes four different components: a conventional Zeus bot, the Tor client for Windows, the CGMiner bitcoin tool and a copy of OpenCL.dll, which CGMiner needs to crack CPU and GPU hashes..."
(More detail at the h-online URL above.)

* https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit

 

[Spambot Kelihos update]

FYI...

Spambot Kelihos update ...
- https://www.abuse.ch/?p=4878
Dec 10, 2012 - "... a Spambot that was shut down in September 2011 by Microsoft, but came back in January 2012. Various security researchers believe that Kelihos (also known Hlux) is the replacement of the famous Storm Worm, which was active in 2007 and replaced by Waledac in 2009...
Infecting removable drives: ... Kelihos now has the capability to spread via removable drives, like USB sticks. The Kelihos gang implemented this feature on 2012-10-10...
Switching from .eu to .ru: Back in March 2012, Kelihos used a huge list of different domain names to spread itself and to provide fresh binaries (bot updates) to the botnet. In summer 2012 the Kelihos gang switched from TLD .eu to TLD .ru...
The rise of Kelihos: If we take a look at the global spam statistics today, the Kelihos gang has managed to get one of the biggest spam botnets world wide with 100k – 150k unique spamming IP addresses per day. In fact, Kelihos is as active as the famous Festi and Cutwail botnets, which have more or less the same number of spamming IP addresses per day. But what makes Kelihos so successful? First of all, Kelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure. By adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I’ve seen so far have a very poor AV detection rate...
So what can a network administrator do to mitigate this threat?
• Since Kelihos is using port 80 (usually used by the HTTP protocol) to communicate with the P2P drones, you should restrict outbound connections to port 80 TCP and implement a web proxy with protocol inspection capabilities (so that non-HTTP and non-HTTPs traffic that tries to go through the proxy gets blocked, and alerted on)
• Patch Windows (run Windows Update) to avoid exploitation through CVE-2010-2568
• Use port security on your devices to limit the usage of removable drives and prevent Kelihos from spreading through USB sticks etc
• Restrict outbound SMTP connections (port 25 TCP) to prevent Kelihos from sending out spam mails
• Restrict access to domain names hosted on dynamic IP addresses and/or whose DNS servers are hosted on dynamic IP addresses by using DNS PRZ* ..."
* http://www.isc.org/community/blog/201007/taking-back-dns-0

 

[Butterfly botnet takedown]

FYI...

Butterfly botnet takedown
- https://www.fbi.gov/news/pressrel/press-releases/fbi-international-law-enforcement-disrupt-international-organized-cyber-crime-ring-related-to-butterfly-botnet
Dec 11, 2012 - "The Department of Justice and the FBI, along with international law enforcement partners, announced the arrests of 10 individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States and the execution of numerous search warrants and interviews. The operation identified international cyber crime rings that are linked to multiple variants of the Yahos malicious software, or malware, which is linked to more than 11 million compromised computer systems and over $850 million in losses via the Butterfly Botnet, which steals computer users’ credit card, bank account, and other personal identifiable information... Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware..."
___

- http://h-online.com/-1768325
13 Dec 2012

   

[Feds convict Stock Scammers, overlook Spammers]

FYI...

Feds convict Stock Scammers, overlook Spammers
- https://krebsonsecurity.com/2012/12/feds-convict-stock-scammers-overlook-spammers/
Dec 13, 2012 - "On Wednesday, the U.S. Justice Department announced that it had obtained convictions against a cybercrime gang that committed securities fraud through the use of botnets and spam. Oddly enough, none of the botmasters or spammers who assisted in the scheme were brought to justice or identified beyond their hacker handles... The defendants who pleaded or were found guilty in this case were convicted of orchestrating “pump-and-dump” stock scams. These are schemes in which fraudsters buy up low-priced stock, blast out millions of spam e-mails touting the stock as a hot buy and then dump their shares as soon as the share price ticks up from all of the spam respondents buying into the scam. A press release from the U.S. Attorney for the District of New Jersey* noted that ringleader of the scam, 44-year-old Christopher Rad, of Cedar Park, Texas, communicated with the spammers via Skype, addressing them by their hacker aliases, such as 'breg', 'ega', 'billybob6001' and 'be3ez12'... It’s not clear yet what botnet or other method Rahul/be3ez12 used to blast out his spam during the time he allegedly aided in these stock scams..."
* http://www.justice.gov/usao/nj/Press/files/Rad,%20Christopher%20Verdict%20PR.html
"... conspiracy to commit securities fraud..."

 

[Android botnet discovered across all major networks]

FYI...

Android botnet discovered across all major networks
- http://bgr.com/2012/12/18/android-spam-botnet-257993/
Dec 18, 2012 - "A new Android spam botnet has been discovered across all major networks that sends thousands of text messages -without- a user’s permission, TheNextWeb reported. The threat, which is known at SpamSoldier, was detected on December 3rd by Lookout Security* in cooperation with an unnamed carrier partner. The malware is said to spread through a collection of infected phones that send text messages, which usually advertise free versions of popular paid games like Grand Theft Auto and Angry Birds Space, to hundreds of users each day. Once a user clicks on the link to download the game, his or her phone instead downloads the malicious app. When the app is downloaded, SpamSoilder removes its icon from the app drawer, installs a free version of the game in question and immediately starts sending spam messages. The security firm notes that the threat isn’t widespread, however it has been spotted on all major carriers in the U.S. and has potential to do serious damage..."
* https://blog.lookout.com/blog/2012/12/17/security-alert-spamsoldier/
"... Consistent with CloudMark’s analysis**, we’ve seen a number of different spam campaigns active..."
** http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/
"... The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games:
> http://blog.cloudmark.com/wp-content/uploads/2012/12/Screen-Shot-2012-12-12-at-3.39.41-PM.png
... you have to jump through some hoops to install an Android app from a random web site rather than Google Play...
> http://blog.cloudmark.com/wp-content/uploads/2012/12/Screen-Shot-2012-12-12-at-3.15.15-PM.png
... Don’t do this..."
___

- http://h-online.com/-1772079
19 Dec 2012