CyberInsecure.com

Archive for the ‘Botnets’ Category

There are strong indications that unidentified hackers are currently building a botnet, possibly by exploiting a vulnerability in outdated phpMyAdmin installations, and are using it to launch SSH brute force attacks.

Apparently more and more Web server owners are finding instances of an unauthorized script called dd_ssh running on their systems. The script is located in the /tmp/ directory, runs under the same account as Apache and is apparently being used to brute force SSH logins.

The SANS Internet Storm Center (ISC) confirms detecting a recent spike in the number of unique IP addresses that participate in SSH scanning.

Data gathered by its DShield monitoring system shows that the number of SSH scanning sources increased from around 1,300 per day at the beginning of August to over 5,000 at this moment.

According to some reports attackers might exploiting a vulnerability in older versions of phpMyAdmin in order to drop dd_ssh and another file called vm.c in the tmp dir.

The vulnerability, which allows for remote code execution, is said to affect versions below 3.2.4 (Debian) and has apparently been patched back in April.

“I’ve found that many people who have been attacked have logs showing a flood of http requests from IPs in Asia and Eastern Europe that query the version of phpMyAdmin,” a networking and security enthusiast, who looked into the attacks, writes.

“These attacks may resemble a DDoS attack server side, but have an ulterior motive. Once discovered the version to be vulnerable, they inject the code,” he adds.

Even though the SSH brute force attacks have spiked this month, the dd_ssh script has been mentioned in various reports since June, like this one from networking appliances manufacturer F5 Networks.

Credit: Softpedia.com News

Mobile malware that affects Symbian Series 60 handsets is being used to create a botnet.

Security firm NetQin claims as many as 100,000 smartphones have been compromised with the malware, which typically poses as a game and affects Series 3 and % Symbian devices. NetQin said the malware is programmed to send SMS messages from compromised devices.

“These botnets do one of two things; send messages to all the contacts of the address book directly, or send messages to the random phone numbers by connecting to a server,” NetQin explains in a blog posting.

“The viruses will delete the sent messages from the user’s Outbox and SMS log. All messages contain URLs linked to malicious sites that users won’t be able to see until after they’ve fallen into the virus trap.”

The Symbian Foundation said that the certificate used to sign has been revoked, so providing revocation checking is enabled on a phone the malware will not run. Symbian downplayed the threat of the malware which a spokesman described as posing only a “very minor threat”, V3.co.uk reports.

Credit: The Register

Security researchers warn that multiple spam campaigns detected on Twitter over the weekend target users via replies on topics they employed in recent tweets. Most malicious links spread in this way lead to websites pushing DDoS-capable trojans controlled from Muslim countries.

British antivirus vendor Sophos warned on Saturday that phishing and malware-distribution attacks on Twitter were using the recent international debate concerning the Israeli blockade on Gaza as lure to trap sympathizers on both sides of the fence. Many of these spams pushed a dangerous trojan known as Bifrost, which, amongst other things, can be used to install additional malicious code remotely.

Chester Wisniewski, a security expert with SophosLabs Canada, announced today that Twitter malware-pushing attacks had since intensified in frequency. The spammers use a wide array of techniques, from linking directly to malware, to sending visitors to Web pages riddled with exploits or infected PDF documents.

“Unlike previous Twitter bots that follow many hundreds of users in the hopes that they will follow back, these bots are @ replying to people on topics they are using in their tweets. If you talk about Obama, they @ reply you with a message about Obama and a malicious link,” Wisniewski explains. “What surprises me is the range of exploits and malware being used. I have detected plain old trojans that expect you to install them, malicious Java code targeting vulnerabilities from the past year, malicious JavaScript redirects and poisoned document files,” he adds.

The researcher speculates that many of these attacks might be attempts from Gaza sympathizers to build botnets for Distributed Denial of Service (DDoS) purposes. This is because five of six malware samples distributed by these latest spam campaigns have command and control servers in Muslim countries like Morocco or Saudi Arabia. In addition, the fact that all samples are variants from the same malware family and all C&C servers are using the no-ip.biz DynDNS provider further suggest a connection between them.

One good piece of news is that spammers made no effort to obfuscate the malicious links via a URL shortening service. This should considerably make it easier for Twitter to block the attacks and identify the offending tweets that were already posted.

Credit: Softpedia.com News

Hackers have begun using compromised servers instead of client PCs to launch more powerful denial of service attacks. Hundreds of web servers are infected with a DoS application that transforms them into zombie drones, according to database security firm Imperva. These zombie servers are controlled using a simple web application, consisting of just 90 lines of PHP code.

Servers are harder to compromise than desktop PCs, which can potentially be compromised as easily as tricking a user into opening a maliciously constructed email or visiting a dodgy website. However once compromised servers offer more horsepower and, typically, fatter pipes for throwing out spurious traffic.

Attacks launched from web servers may also be more difficult to detect. “Trace backs typically lead to a lone server at a random hosting company,” Imperva warns.

Amichai Shulman, Imperva’s CTO, claims denial of service attacks from compromised servers are ongoing. “Now that a network of server bots has been created, it will be quite easy for them to ‘rent’ them out or increase their activity,” he said. “Companies should regularly monitor their Google presence to look for evidence of being compromised.”

Credit: The Register

A new worm is quickly spreading on Yahoo! Messenger (YM) via Web links to fake images. Users who fall victim to this threat have an IRC botnet client installed on their computers.

According to security researchers from Vietnam-based antivirus vendor Bkis, who analyzed the new worm, it spreads though YM spam. The malware sends out malicious links of the form http://[rogue_domain_name]/image.php to the entire contact list of any user logged into YM on an infected computer.

Visiting the spammed websites results in a download prompt for an executable file deceptively called IMG87654.JPG-www.myspace.com.exe (the number after IMG can differ). A different social engineering trick used in this attack is the default image icon being displayed for file.

Once executed on a system, the worm installer drops a file called infocard.exe in the Windows directory and writes startup registry keys for it under [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] and [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]. Three other files called mdt.sys, mds.sys and winbrd.jpg are created alongside infocard.exe and a new value is added to [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\List] in order to create an exception in the default Windows firewall.

An automated ThreatExpert analysis of the worm performed earlier today reveals that its payload involves connecting to IRC and joining a botnet. On first run, the worm points the browser to http://browseusers.myspace.com/Browse/Browse.aspx, which appears to be a legit MySpace resource.

“The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users […] Yahoo! Messenger users should raise their awareness when receiving unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers,” advises Bkis, whose BKAV antivirus product detects this threat as W32.Ymfocard.fam.Botnet. Another alias for it appears to be Mal/Rimecud-D, according to Sophos.

Credit: Softpedia.com News

The prolific Pushdo spam botnet has found a new way to penetrate Microsoft’s Live.com by exploiting weaknesses in the audio captchas designed to prevent automated scripts from accessing the popular email service.

A new version of the bot causes infected PCs to pull down Live.com audio captchas and return the correct response within 10 seconds, according to a researcher at anti-virus firm Webroot. The attack allows the zombi machines to send email through accounts with a Live.com address, which are whitelisted by many spam filters. The technique offers spammers an alternative to sending spam through open mail relays, which are often blacklisted.

“In one seven minute test period where I permitted the bot to operate freely, the bot demonstrated [a] remarkable capability to bypass the audio captchas,” Webroot researcher Andrew Brandt wrote Monday Morning. “In most cases, it was able to submit the correct answer within two tries, though in one instance, the bot tried six times before it could proceed, and once it gave the correct answer the first time.”

The attack is the latest to target captchas, the puzzles that websites use to ensure that email and forms are completed by humans rather than automated scripts. Captchas require a person to recognize a series of distorted characters that are hard for computers to read using optical character recognition programs. Audio captchas, which are available in event the user is visually impaired, work in much the same way except that characters are verbally recited amid background static and other noise.

Over the past few years, cybercrooks have used devised attacks on captchas protecting Google, Live.com, sites selling concert tickets and various other web properties. Web masters usually respond by tweaking the puzzles, forcing attackers to find new bypass techniques.

Webroot’s Brandt said it’s the first time he’s heard of an audio captcha being targeted. It remains unclear if the attackers are sending the WAV files to sweat shops where humans then decode the audio puzzles, or if the technique works with the help of speech recognition software.

Once the captcha is solved, the botnet uses a Live.com email address to send spam with a variety of come-ons written with poor English grammar and usage. Our favorite one was “Mamma mia! your grandmother is doing so strange things here! Look at these delineations!”

The spam includes a link to a Yahoo Groups page that uses offers for free porn to coax people into giving up financial information.

A botnet primarily used to spend spam, Pushdo goes by several other names, including Cutwail, Diehard, and Rabbit. Some of the IP addresses used by the audio-captcha buster have been used in the past by the Russian Business Network.

Credit: The Register

Vodafone has been blamed for shipping Mariposa botnet malware and other nasties on a HTC Magic Android smartphones it supplied.

The mobile phone giant’s Spanish arm supplied an HTC Magic smartphone preloaded with malware that attempted to establish a backdoor for stealing information on connected PCs during the synchronisation process. Vodafone acknowledged the problem but said that the incident was an isolated and local problem, which came to light because the customer affected works for Spanish anti-virus firm Panda Security.

The extra code was a strain of the Mariposa bot client that attempted to connect to systems not associated with the recent arrests of three suspected botmasters in Spain, according to an analysis of the attack by Panda Security researcher Pedro Bustamante.

“A quick analysis of the malware reveals that it is in fact a Mariposa bot client,” Bustamante explained. “This one, unlike the one announced last week which was run by Spanish hacker group ‘DDP Team’, is run by some guy named ‘tnls’ as the botnet-control mechanism shows.

“Once infected you can see the malware ‘phoning home’ to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer,” he added.

The same mobile phone was also infected by Confiker and a Lineage password-stealing code, according to Panda. The incident came to light because the infected phone was sold to one of Bustamante’s colleagues in Spain.

In a statement, Vodafone said the problem, which it is investigating, was isolated.

Vodafone takes the security and privacy of its customers extremely seriously and launched an immediate investigation into this incident

Following extensive Quality Assurance testing on HTC Magic handsets in several of our operating companies, early indications are that this was an isolated local incident

Vodafone keeps its security processes under constant review as new threats arise, and we will take all appropriate actions to safeguard our customers’ privacy.

Incidents where computing devices come preloaded with malware are far from unprecedented. Normally problems arise when computers used in manufacturing production lines are themselves infected.

Credit: The Register

The perpetrators of a ticket fraud operation that made use of a botnet to subvert protection mechanisms enforced by ticket vendors were indicted earlier this week. The dedicated network of computers spread across the U.S. ran software that impersonated legit buyers and solved CAPTCHA tests.

It’s a well known fact that in order to ensure a fair distribution of tickets to the public, online ticket vendors enforced restrictions such as limiting the number of seats a single individual could obtain. In addition, to make sure that only real humans are able to acquire tickets, the order forms are usually accompanied by CAPTCHA challenges.

The indictment filed in Newark, New Jersey, names Kenneth Lowson, Kristofer Kirsch, Joel Stevenson and Faisal Nahdi as defendants. They operated through several companies and are collectively referred to as the “Wiseguys,” after Wiseguys Tickets, Inc., the first and primary firm they controlled.

The operation, which lasted from late 2002 until January 2009, involved fraudulently purchasing thousands of tickets for various events across the United States, and selling them to ticket brokers at higher prices. Investigators estimate that the Wiseguys racked up profits of almost $29 million by re-selling 1.5 million tickets.

In order to pull off the scheme, the gang employed programmers in the United States and Bulgaria, who coded and constantly adapted the software used to acquire the tickets. The program was so good that it solved CAPTCHAs far quicker than humans and was able to snatch up the best seats at high-profile events as soon as tickets went on sale.

But according to prosecutors, the defendants did not only stop at damaging online ticket vendors’ ability to ensure a fair distribution of tickets. Instead, they went as far as setting up a competing company to distribute tickets on behalf of artists or venues and giving assurances that it was capable of doing what the other vendors were failing to do.

“This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies,” notes Francois Paget, threat researcher at McAfee.

Credit: Softpedia.com News

International cooperation between law enforcement agencies in Spain and the U.S., as well as several security companies, led to the arrest of three Spanish citizens who controlled one of the largest botnets in history. Dubbed Mariposa, the army of zombie computers connected from more than 12 million unique IP addresses.

The Mariposa (Butterfly in English) botnet was identified in May 2009 by researchers from a Canadian information security company named Defence Intelligence. The malware behind the botnet is an information stealing computer trojan, which has seen more than 200 variants to date.

In order to investigate and track the threat more efficiently, security experts from various organizations, including Defence Intelligence, Georgia Tech Information Security Center and Spanish antivirus vendor Panda Security have established the Mariposa Working Group (MWG). The group closely cooperated with the FBI and their Spanish counterpart, La Guardia Civil (the Civil Guard).

The experts managed to hijack the botnet in December, but the cyber-criminals, who called themselves the Días de Pesadilla Team (the Nightmare Days Team), regained control and retaliated with crippling Distributed Denial of Service (DDoS) attacks. A second, more successful takeover allowed researchers to count the number of IP addresses trying to access the Command and Control (C&C) servers and get an idea of the threat’s true scope.

“We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history,” notes Luis Corrons, technical director of PandaLabs, Panda Security’s malware intelligence laboratory. It was also discovered that the gang leased parts of the botnet to other cyber-crooks or sold DDoS services.

In addition, on the infected computers, the trojan displayed rogue ads while surfing the Web and altered Google search results. It also stole personal and financial information, such as online banking credentials and other usernames and passwords.

The authorities were able to identify F. C. R., a 31-year-old bot herder known online as “Netkairo,” after he slipped and accidentally revealed his home IP address. He was arrested by the Spanish Civil Guard in his home town of Balmaseda last month.

Data collected from Netkairo’s computer led to the capturing of two other accomplices, identified only as J. P. R., 30, a.k.a. “jonyloleante”, and J. B. R., 25, a.k.a. “ostiator.” A fourth co-conspirator is believed to be located in Venezuela.

Stolen information belonging to 800,000 users was also found, as well as data belonging to companies, government institutions and educational organizations in 190 countries. “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were,” commented Defence Intelligence’s CEO Christopher Davis.

Credit: Softpedia.com News

People flocked to Google Wednesday evening to figure out what was happening with the UltraDNS service, which suffered a DDoS attack at the height of the last-minute shopping season.

An attack directed at the DNS provider for some of the Internet’s larger e-commerce companies–including Amazon, Wal-Mart, and Expedia–took several Internet shopping sites offline Wednesday evening, two days before Christmas.

Neustar, the company that provides DNS services under the UltraDNS brand name, confirmed an attack took place Wednesday afternoon, taking out sites or rendering them extremely sluggish for about an hour. A representative who answered the customer support line said the attacks were directed against Neustar facilities in Palo Alto and San Jose, Calif., and Allen Goldberg, vice president of corporate communications for Neustar, confirmed that at about 4:45 p.m. PST, “our alarms went off.”

Goldberg said the company received a disproportionately high number of queries coming into the system, and analyzed it as an attack. Neustar deployed “a mitigation response” within minutes of the attack, he said, and brought matters under control within an hour. The response limited the problems to Northern California, he said.

In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon’s S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon’s lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.

For a brief period Wednesday evening, “ultradns” was the top search term on Google, likely as frantic technicians at Web sites attempted to figure out what was going on with their sites.

Web sites need DNS providers to translate the character-based URLs that people can remember to the IP addresses that Web sites actually use to list themselves on the Internet. When a DNS provider is overwhelmed with malicious requests for IP addresses, the system can overload and prevent legitimate users from reaching their destinations.

Amazon’s Web Services Health Dashboard declared an all-clear around 6:40 p.m. PST, saying that DNS resolution had returned to normal. Amazon and several other big sites seemed to recover around 5:40 p.m., but some other sites continued to report problems until around 6 p.m.

Needless to say, the timing of such an outage could not have been much worse, as holiday procrastinators rushed to make sure they could get one-day shipping for gifts to be delivered before Christmas Day on Friday.

UltraDNS suffered a similar attack earlier this year, which took out Amazon, Salesforce.com, and other sites. Goldberg described Wednesday’s attack as smaller than that one, in that it affected fewer customers.

However, Amazon is no small customer. Goldberg declined to comment on specific customers affected by the outage, and said Neustar had not yet determined the source of the attack.

One expert thought the attack might have been more widespread.

“This was wider than just UltraDNS,” said Bill Woodcock, research director at Packet Clearing House, which operates domain name servers and supports Internet exchange points around the globe.

“It’s difficult to tell at this point how much is a DDoS attack and how much is collateral damage from the attack that is being felt in other ways,” like a domino effect, he said. “There were routing problems at some major European exchanges at the same time that caused major Internet service providers’ routers to encounter a higher load and pass fewer packets.”

Credit: CNET News, Webware