CyberInsecure.com

Archive for the ‘Botnets’ Category

Vodafone has been blamed for shipping Mariposa botnet malware and other nasties on a HTC Magic Android smartphones it supplied.

The mobile phone giant’s Spanish arm supplied an HTC Magic smartphone preloaded with malware that attempted to establish a backdoor for stealing information on connected PCs during the synchronisation process. Vodafone acknowledged the problem but said that the incident was an isolated and local problem, which came to light because the customer affected works for Spanish anti-virus firm Panda Security.

The extra code was a strain of the Mariposa bot client that attempted to connect to systems not associated with the recent arrests of three suspected botmasters in Spain, according to an analysis of the attack by Panda Security researcher Pedro Bustamante.

“A quick analysis of the malware reveals that it is in fact a Mariposa bot client,” Bustamante explained. “This one, unlike the one announced last week which was run by Spanish hacker group ‘DDP Team’, is run by some guy named ‘tnls’ as the botnet-control mechanism shows.

“Once infected you can see the malware ‘phoning home’ to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer,” he added.

The same mobile phone was also infected by Confiker and a Lineage password-stealing code, according to Panda. The incident came to light because the infected phone was sold to one of Bustamante’s colleagues in Spain.

In a statement, Vodafone said the problem, which it is investigating, was isolated.

Vodafone takes the security and privacy of its customers extremely seriously and launched an immediate investigation into this incident

Following extensive Quality Assurance testing on HTC Magic handsets in several of our operating companies, early indications are that this was an isolated local incident

Vodafone keeps its security processes under constant review as new threats arise, and we will take all appropriate actions to safeguard our customers’ privacy.

Incidents where computing devices come preloaded with malware are far from unprecedented. Normally problems arise when computers used in manufacturing production lines are themselves infected.

Credit: The Register

The perpetrators of a ticket fraud operation that made use of a botnet to subvert protection mechanisms enforced by ticket vendors were indicted earlier this week. The dedicated network of computers spread across the U.S. ran software that impersonated legit buyers and solved CAPTCHA tests.

It’s a well known fact that in order to ensure a fair distribution of tickets to the public, online ticket vendors enforced restrictions such as limiting the number of seats a single individual could obtain. In addition, to make sure that only real humans are able to acquire tickets, the order forms are usually accompanied by CAPTCHA challenges.

The indictment filed in Newark, New Jersey, names Kenneth Lowson, Kristofer Kirsch, Joel Stevenson and Faisal Nahdi as defendants. They operated through several companies and are collectively referred to as the “Wiseguys,” after Wiseguys Tickets, Inc., the first and primary firm they controlled.

The operation, which lasted from late 2002 until January 2009, involved fraudulently purchasing thousands of tickets for various events across the United States, and selling them to ticket brokers at higher prices. Investigators estimate that the Wiseguys racked up profits of almost $29 million by re-selling 1.5 million tickets.

In order to pull off the scheme, the gang employed programmers in the United States and Bulgaria, who coded and constantly adapted the software used to acquire the tickets. The program was so good that it solved CAPTCHAs far quicker than humans and was able to snatch up the best seats at high-profile events as soon as tickets went on sale.

But according to prosecutors, the defendants did not only stop at damaging online ticket vendors’ ability to ensure a fair distribution of tickets. Instead, they went as far as setting up a competing company to distribute tickets on behalf of artists or venues and giving assurances that it was capable of doing what the other vendors were failing to do.

“This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies,” notes Francois Paget, threat researcher at McAfee.

Credit: Softpedia.com News

International cooperation between law enforcement agencies in Spain and the U.S., as well as several security companies, led to the arrest of three Spanish citizens who controlled one of the largest botnets in history. Dubbed Mariposa, the army of zombie computers connected from more than 12 million unique IP addresses.

The Mariposa (Butterfly in English) botnet was identified in May 2009 by researchers from a Canadian information security company named Defence Intelligence. The malware behind the botnet is an information stealing computer trojan, which has seen more than 200 variants to date.

In order to investigate and track the threat more efficiently, security experts from various organizations, including Defence Intelligence, Georgia Tech Information Security Center and Spanish antivirus vendor Panda Security have established the Mariposa Working Group (MWG). The group closely cooperated with the FBI and their Spanish counterpart, La Guardia Civil (the Civil Guard).

The experts managed to hijack the botnet in December, but the cyber-criminals, who called themselves the Días de Pesadilla Team (the Nightmare Days Team), regained control and retaliated with crippling Distributed Denial of Service (DDoS) attacks. A second, more successful takeover allowed researchers to count the number of IP addresses trying to access the Command and Control (C&C) servers and get an idea of the threat’s true scope.

“We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history,” notes Luis Corrons, technical director of PandaLabs, Panda Security’s malware intelligence laboratory. It was also discovered that the gang leased parts of the botnet to other cyber-crooks or sold DDoS services.

In addition, on the infected computers, the trojan displayed rogue ads while surfing the Web and altered Google search results. It also stole personal and financial information, such as online banking credentials and other usernames and passwords.

The authorities were able to identify F. C. R., a 31-year-old bot herder known online as “Netkairo,” after he slipped and accidentally revealed his home IP address. He was arrested by the Spanish Civil Guard in his home town of Balmaseda last month.

Data collected from Netkairo’s computer led to the capturing of two other accomplices, identified only as J. P. R., 30, a.k.a. “jonyloleante”, and J. B. R., 25, a.k.a. “ostiator.” A fourth co-conspirator is believed to be located in Venezuela.

Stolen information belonging to 800,000 users was also found, as well as data belonging to companies, government institutions and educational organizations in 190 countries. “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were,” commented Defence Intelligence’s CEO Christopher Davis.

Credit: Softpedia.com News

People flocked to Google Wednesday evening to figure out what was happening with the UltraDNS service, which suffered a DDoS attack at the height of the last-minute shopping season.

An attack directed at the DNS provider for some of the Internet’s larger e-commerce companies–including Amazon, Wal-Mart, and Expedia–took several Internet shopping sites offline Wednesday evening, two days before Christmas.

Neustar, the company that provides DNS services under the UltraDNS brand name, confirmed an attack took place Wednesday afternoon, taking out sites or rendering them extremely sluggish for about an hour. A representative who answered the customer support line said the attacks were directed against Neustar facilities in Palo Alto and San Jose, Calif., and Allen Goldberg, vice president of corporate communications for Neustar, confirmed that at about 4:45 p.m. PST, “our alarms went off.”

Goldberg said the company received a disproportionately high number of queries coming into the system, and analyzed it as an attack. Neustar deployed “a mitigation response” within minutes of the attack, he said, and brought matters under control within an hour. The response limited the problems to Northern California, he said.

In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon’s S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon’s lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.

For a brief period Wednesday evening, “ultradns” was the top search term on Google, likely as frantic technicians at Web sites attempted to figure out what was going on with their sites.

Web sites need DNS providers to translate the character-based URLs that people can remember to the IP addresses that Web sites actually use to list themselves on the Internet. When a DNS provider is overwhelmed with malicious requests for IP addresses, the system can overload and prevent legitimate users from reaching their destinations.

Amazon’s Web Services Health Dashboard declared an all-clear around 6:40 p.m. PST, saying that DNS resolution had returned to normal. Amazon and several other big sites seemed to recover around 5:40 p.m., but some other sites continued to report problems until around 6 p.m.

Needless to say, the timing of such an outage could not have been much worse, as holiday procrastinators rushed to make sure they could get one-day shipping for gifts to be delivered before Christmas Day on Friday.

UltraDNS suffered a similar attack earlier this year, which took out Amazon, Salesforce.com, and other sites. Goldberg described Wednesday’s attack as smaller than that one, in that it affected fewer customers.

However, Amazon is no small customer. Goldberg declined to comment on specific customers affected by the outage, and said Neustar had not yet determined the source of the attack.

One expert thought the attack might have been more widespread.

“This was wider than just UltraDNS,” said Bill Woodcock, research director at Packet Clearing House, which operates domain name servers and supports Internet exchange points around the globe.

“It’s difficult to tell at this point how much is a DDoS attack and how much is collateral damage from the attack that is being felt in other ways,” like a domino effect, he said. “There were routing problems at some major European exchanges at the same time that caused major Internet service providers’ routers to encounter a higher load and pass fewer packets.”

Credit: CNET News, Webware

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that’s the way it’s supposed to work everywhere. Applicants who can’t show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don’t have the resources to investigate every application as fully as they’d like.

The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they’ve taken a layer of potential problems out of the equation.

“It’s gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,” said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. “It takes one more level out of it: You own your own IP space and you’re your own ISP at that point.

“If there’s a problem, who are you going to talk to? It’s a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16. They’re not the Internet police,” Lanstein said.

The most famous example of this is the Russian Business Network case, in which a group of criminals was able to get a large amount of IP space by using an LIR to get an allocation from RIPE, the European RIR. The LIR gave RIPE documentation that supposedly showed a need for the allocation, and that’s as far as it went.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn’t until May 2008 that RIPE was able to close down the LIR and get the IP space back.

In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space. The RIR staff often will request a listing of each machine the organization has and may go as far as to request purchase receipts for the machines, as well, said John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), which is responsible for the U.S., Canada and parts of the Caribbean.

Criminals subverting this process has become a major problem in some regions, particularly parts of Europe and the Caribbean, where there are dozens of jurisdictions and multiple languages, which can lead to confusion and difficulty in tracking down exactly who is doing what online, security experts say.

“There are a lot of instances where they don’t go past the letter of justification,” Lanstein said. “There are plenty of IP allocations I can pull up and look at the domains and see that they’re total BS. U.S. data centers are much better, but in Europe there are so many languages and countries, it’s impossible for them to check everyone. And the bad guys know this.”

This set-up has become a useful tactic for the criminals running botnets and large spam and carding operations. Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There’s no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses.

“The policies for handing out IP space and verifying the people behind and application are global, they apply to all of the RIRs. But within that framework, there’s room for RIRs to set their own local policies too,” said Curran. “The bad news is, those policies are very local. How does someone verify an organization when in some regions they may only have written records and it’s a town of 2,000 people? It’s very difficult in Africa, parts of Europe, parts of the Caribbean. It’s very much the case that parts of our process are very hard to implement in other regions. Other regions have different ways of recording how a company is formed and they recognize very informal structures. The record-keeping is decentralized and it might take a while to determine who is behind a company.”

And once the IP space has been allocated, getting it back can be a long and arduous process. Criminals often will use a certain IP block for as long as it’s useful and profitable for them. But if security researchers and ISPs notice suspicious activity in a certain block, they will sometimes stop accepting traffic from it and block any traffic from their own networks to that block. This can be an effective tactic, but once the criminals abandon the IP space, it can take a long time for a legitimate business to be able to get traffic flowing there again.

“This is part of the problem that’s causing the IPv4 shortage,” Lanstein said, referring to the imminent exhaustion of the IPv4 address space, forecasted to occur in less than two years. “They stop paying the bills, the space gets null-routed and then it’s a mess. There’s clear fraud going on, but who can do something about it?”

Credit: ThreatPost.com

A computer worm that China warned Internet users against is an updated version of the Panda Burning Incense virus, which infected millions of PCs in the country three years ago, according to McAfee.

The original Panda worm, also known as Fujacks, caused widespread damage at a time when public knowledge about online security was low, and led to the country’s first arrests for virus-writing in 2007. The new worm variant, one of many that have appeared since late 2006, adds a malicious component meant to make infection harder to detect, said Vu Nguyen, a McAfee Labs researcher.

“It has gotten more complex with the addition of a rootkit,” said Nguyen. “It definitely makes it more challenging for users to clean up and even to know that their systems have been compromised.” A rootkit burrows into a system to try to hide the existence of malware.

The first Panda worm gained fame in China for switching the icons of infected files with an image of a panda holding three incense sticks. The same image would also flash across a victim’s screen, but the worm’s final goal was to install password-stealing Trojan horses. The worm infected millions of PCs, according to Chinese state media. Its author was ordered to write a removal tool for the worm and later sentenced to four years in prison.

China’s national virus response center warned about the updated worm earlier this week, but it dubbed the virus Worm_Piloyd.B and did not link it to Panda. The center said it had found a worm spreading online that infected executables and html files. The worm blocked a victim’s PC from restoring infected files, turned off active antivirus software and directed the machine to Web sites to download Trojan horses and other malware, the center said. The center urged Internet users to step up defense on their PCs against unknown viruses.

The new worm is unlikely to hit as many PCs as the first one. Chinese companies and Internet users are much more aware of malware than they were a few years ago, partly because of the wake-up call brought by the first Panda worm, said Nguyen.

As in other countries, cybercrime looks increasingly professional in China and labor is often divided along the production chain from virus design to the sale of stolen information. Chinese police are rushing to keep pace and cybercrime arrests have become more common in the country. Police in central Hubei province recently took six suspects into custody for building and selling viruses and attacking victims with a botnet, Chinese state broadcaster CCTV said this week. The group made over 2 million yuan (US$290,000) in about six months from their activities, the report said.

China officially had 338 million Internet users at the end of June, more than the population of the U.S.

Credit: Yahoo! Tech News

The Koobface botnet has pushed out a new component that automates the following routines:

Registering a Facebook account
Confirming an email address in Gmail to activate the registered Facebook account
Joining random Facebook groups
Adding Facebook friends
Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages: http://www.facebook.com/safety and http://www.facebook.com/security.

Credit: Trend Micro Malware Blog

A botnet that was once responsible for an estimated third of the world’s spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change, said Jamie Tomasello, an abuse operations manager at antispam firm Cloudmark.

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

With head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye’s control, an indicated of the massive number of zombies believed to have belonged to the botnet. FireEye researchers plan to work with the ISPs to identify the owners of the orphaned bots so their owners can clean up the mess.

FireEye researchers said the key to dismantling the giant ring was a coordinated effort that worked in multiple directions all at once so that bot herders didn’t have a chance to counteract. “As it turns out, no matter how many fallback mechanisms are in place, if they aren’t all implemented properly, the botnet is vulnerable,” they wrote.

Credit: The Register

The website of the Swedish Signals Intelligence agency (Försvarets Radioanstalt, or FRA) was taken offline by a massive DDoS attack this week.

Fra.se was intermittently inaccessible from Monday night until Thursday morning, when full service was restored. The agency was in the news recently after Swedish legislators passed a law allowing FRA to tap internet communications networks that pass through Sweden.

The monitoring effectively started last month, reports Finnish security firm F-secure, which notes that Russia’s international internet traffic passes through Sweden.

It’s unclear who’s behind the attacks, but Russian cybercrime operations or possibly file sharers lashing out against the Pirate Bay clampdown are among the possible suspects.

In a statement, (translation via Google here) FRA said that the temporary disruption to its web site had no effect on its work.

An apparently separate denial-of-service attack downed about 40 websites belonging to police and media outlets in Sweden last week.

Credit: The Register

Crimeware distributors have begun using Facebook as a command and control channel for a Trojan that turns compromised Windows PCs into zombie drones.

Zombie clients poll the Notes section of the mobile version of Facebook for instructions. Compromised clients might be instructed to download further code from a specified web site or told to wait for commands, for example.

The Trojan spreads via booby-trapped email attachments that take advantage of well-known PDF or Office flaws to infect unpatched systems. These messages pose as email from courier firms and the like.

This has become a very common strategy for targeted attacks, which have replaced mass mailing worms as the main malware danger to business. What distinguishes this Trojan from run of the mill malware is its (experimental) use of Facebook to receive commands instead of traditional botnet control channels such as Internet Relay Chat (IRC). Most of the heavy lifting - such as uploading stolen data - is still done through a web server, however, Symantec researcher Andrea Lelli explains.

“The Trojan is using a Facebook account to receive URLs to contact, and it may post some timedate stamps back to the account, but nothing more than that,” Lelli writes. “The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere.”

“It [the Trojan] simply uses the standard Facebook functionalities, which in no way are malicious, dangerous or faulty. This particular Trojan is quite limited and seems to be a targeted attack, but it can be considered a precursor of a botnet using a social network as a C&C [command and control] server.”

Symantec found the mobile Facebook account associated with the Trojan, established 16 October, showed very little signs of activity. Either hackers have deleted handshakes from compromised boxes that ought to have been exchanged or else the malware is yet to infect anything.

Virus writers have begun experimenting with varied means of controlling botnet clients over recent months. In August, for example, security researchers at Arbor Networks discovered a botnet that used Twitter to relay commands to compromised hosts.

Credit: The Register