Botnet herders have sophisticated "disaster recovery" plans, according to speakers at a recent cybersecurity conference, with many splitting their botnets into smaller herds, making them more resilient. In addition, kierny writes: Researchers say these backup botnets are tough to detect, until gangs have already spooled them up and put them to use in major campaigns... "What we're seeing is the bad guys are starting to learn from this," said Steven Wilson, head of the European Cybercrime Center at Europol -- the EU's law enforcement agency...
Wilson said authorities are now gathering tremendous amounts of data by "sink-holing" -- forcibly redirecting the infected endpoints onto servers controlled by law enforcement. And he also reports that authorities have also successfully mined the blockchains of bitcoin transactions for information. Eamonn Keane, A detective from a cybercrime unit with the Scotland Police, added that authorities are also infiltrating dark net forums to bust bitcoin-using criminals. "Are law enforcement in there? Absolutely... We have a mandate to protect you in the real world; increasingly it's moving into the online environment."

schwit1 quotes a report from ZDNet: A botnet and cyberattack campaign is infecting victims across the globe and appears to be tracking the actions of specially selected targets in sectors ranging from government to engineering. Researchers from Forcepoint Security Labs have warned that the campaign it has dubbed 'Jaku' -- after a planet in the Star Wars universe because of references to the sci-fi saga in the malware code -- is different to and more sophisticated than many botnet campaigns. Rather than indiscriminately infecting victims, this campaign is capable of performing "a separate, highly targeted operation" used to monitor members of international non-governmental organizations, engineering companies, academics, scientists and government employees, the researchers said. The findings are set out in Forcepoint's report on Jaku, which outlines how of the estimated 19,000 unique victims, 42 percent are in South Korea and a further 31 percent in Japan. Both are countries and neighbors of North Korea. A further nine percent of Jaku victims are in China, six percent in the US, with the remainder spread across 130 other countries.

Patrick O'Neill quotes a report from The Daily Dot: The FBI team that brought down Silk Road has a new home. After headline-grabbing investigations, arrests, and prosecutions on some of America's highest-profile cybercriminals, five of U.S. law enforcement's most prized cybercrime aces have all left government service for greener pastures -- a titan consulting firm called Berkeley Research Group (BRG). BRG's newly hired gang of five includes former federal prosecutor Thomas Brown, as well as former FBI agents Christopher Tarbell, Thomas Kiernan, and Ilhwan Yum -- names that punctuated many of the biggest cybercrime stories of the last decade including Silk Road, LulzSec, Liberty Reserve, as well as the hacks of Citibank, PNC Bank, and the Rove Digital botnet; and the prosecution of Samarth Agrawal for stealing crucial code for high-frequency trading from the multinational, multibillion dollar bank Societe Generale. "Private industry provides a lot of opportunity," NYPD intelligence chief Thomas Galati told Congress earlier this year. "So I think the best people out there are working for private companies, and not for the government."

An anonymous reader writes: According to Softpedia, "Security researchers from SurfWatch Labs have shut down a secret plan to hack and infect hundreds or possibly thousands of forums and websites hosted on the infrastructure of Invision Power Services, makers of the IP.Board forum platform." The man behind this plan was a hacker known as AlphaLeon, maker of the Thanatos malware-as-a-service platform. AlphaLeon hacked IP.Board's customer hosting platform, and was planning to place an exploit kit that would infect the visitors to these websites with his Thanatos trojan, in order to grow his botnet. Some of the companies using IP.Board-hosted forums include Evernote, the NHL, the Warner Music Group, and Bethesda Softworks (Elder Scrolls, Fallout, Wolfenstein, Doom games).

Warwick Ashford, reporting for ComputerWeekly: Qbot malware will become a potent threat, facilitated by exploit kits for initial infection and automated to gain maximum victim count, warns BAE Systems. The incident response team at BAE Systems is warning of a strain of the virulent Qbot malware that has hit thousands of public sector computers around the world. The malware -- also known as the Qakbot botnet -- first appeared in 2009 and was uploading 2GB of stolen confidential information to its FTP servers each week by April 2010 from private and public sector computers, including 1,100 on the NHS network in the UK. A modified version of the malware has resurfaced that is believed to have infected more than 54,000 PCs in thousands of organisations around the world and added them to its botnet of compromised machines, with 85% of infections in the US.

An anonymous reader shares an article on Ars Technica: A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Sophisticated Mumblehard spamming malware flew under the radar for five years. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service. "There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn't work) was used to break the protection."

An anonymous reader writes: Google has launched a free tool to help all media sites and and other organisations protect themselves against Distributed Denial of Service (DDoS) attacks. The Project Shield initiative allows websites to redirect traffic through Google's existing infrastructure, in order to keep their content online in the face of such attacks. Google will aim to work with smaller sites which do not necessarily have the money or are not fully equipped with strong enough infrastructure to the attacks. However, the Shield tool has also been made available to larger outlets, such as popular news sites and human rights platforms.

An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.

An anonymous reader writes: archive.org has launched a Museum of Malware, which devotes itself to a historical look at DOS-based viruses of the 1980s and 1990s, and gives viewers the opportunity to run the viruses in a DOS game emulator, and to download 'neutered' versions of the code. With an estimated 50,000 DOS-based viruses in existence by the year 2000, the Malware Museum's 65 examples should be seen as representative of an annoying, but more innocent era of digital vandalism.

An anonymous reader writes: A new malware family called ProxyBack infects PCs and transforms them into a Web proxy. ProxyBack malware works by infecting a PC, establishing a connection with a proxy server controlled by the attackers, from where it receives instructions, and later the traffic it needs to route to actual Web servers. Each machine infected with ProxyBack works as a bot inside a larger network controlled by the attackers, who send commands and update instructions via simple HTTP requests. Some of the people infected with this malware, mysteriously found their IP listed on the buyproxy.ru Web proxy service.A technical write-up of the infection steps and various malware commands is available on the Palo Alto Networks blog.

An anonymous reader writes: Security researchers found around 8,000 Aethra routers (with no admin passwords) as part of a botnet that attacked WordPress sites, trying to brute-force admin accounts. Most routers were deployed in enterprise networks in Italy. Each device could have be used to launch DDoS attacks with a capability between 1 to 10 Gbps, based on the company's bandwidth. Things could be worse, though: Additional investigation also revealed that some of the routers were also susceptible to various reflected XSS and CSRF attacks that would also allow attackers to take control of the device, even if using different login credentials. Using Shodan, a search engine for locating Internet-connected devices, researchers found over 12,000 of Aethra routers around the world, 10,866 in Italy alone, and over 8,000 of these devices were of the model detected in the initial brute-force attack (Aethra Telecommunications PBX series). At that time, 70% of these Aethra routers were still using their default login credentials

An anonymous reader writes: Microsoft said in a blog post Thursday that it aided law enforcement agencies in several regions to disrupt a 4-year-old botnet called Dorkbot. The botnet aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix and has infected one million computers worldwide. The company didn't provide details on how Dorkbot's infrastructure was disrupted.

An anonymous reader writes: Researchers have discovered a large number of zero-day flaws in 8 routers/modems from 4 manufacturers (ZTE, Huawei, Gemtek, Quanta) that would allow attackers to build a huge botnet by leveraging just a few exploits. Vulnerabilities include remote code execution, firmware rewrites, XSS, and CSRF. All these allow attackers to intercept both HTTP and HTTPS Web traffic, infect computers beyond the modem, intercept SMS messages, and detect the modem's geographical location. After six months, manufacturers have failed to fix the issues.

An anonymous reader writes: Researchers from the Delft University of Technology have developed a self-replicating, mutating Android app which can create on-the-fly mesh networks in the event of an infrastructural disaster, or the enabling of internet kill switches by oppressive regimes. The app's source is available at GitHub, and the app itself requires no root privileges to propagate. It can self-compile while it mutates — for example, from a game to a calculator — in transit from one Android device to another, and compatibility with iOS and Windows phones is anticipated.

WarJolt writes: The plug was pulled on the attempt to crowd-source an Arch Linux install after a botnet threatened to take over the process. Twitch Installs has been rebooted by the twitchintheshell community and Twitch Installs users managed to reinstall Arch only to be thwarted by the botnet. The botnet managed to partially install Gentoo. Users are currently in the process of reinstalling Arch.

itwbennett writes: Brad Duncan, a security researcher with Rackspace, on Friday wrote on the Internet Storm Center blog that 'the Dridex botnet administrator was arrested on 2015-08-28, and Palo Alto Networks reported Dridex was back by 2015-10-01. That represents an outage of approximately one month.' The lesson here, writes Jeremy Kirk in an article on CSOonline is that 'while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'

chicksdaddy writes: The parade of horribles continues on the Internet of Things, with a report from the security firm Incapsula that its researchers discovered compromised closed circuit cameras as well as home network attached storage (NAS) devices participating in denial of service attacks. The compromised machines included a CCTV at a local mall, just a couple minutes from the Incapsula headquarters.

According to the report, Incapsula discovered the infections as part of an investigation into a distributed denial of service attack on what it described as a "rarely-used asset" at a "large cloud service." The attack used a network of 900 compromised cameras to create a flood of HTTP GET requests, at a rate of around 20,000 requests per second, to try to disable the cloud-based server. The cameras were running the same operating system: embedded Linux with BusyBox, which is a collection of Unix utilities designed for resource-constrained endpoints.

The malware in question was a variant of a self-replicating program known as Lightaidra, which targets systems running BusyBox and exploits vulnerable Telnet/SSH services using so-called "brute force dictionary attacks" (aka "password guessing"). Given that many Internet connected devices simply use the default administrator credentials when deployed, calling it a "brute force" attack is probably a stretch.

An anonymous reader writes: The UK's National Crime Agency (NCA) has issued a warning to UK online banking consumers to guard against the possibility of having been infected by the Dridex malware, which spreads via macros in infected Microsoft documents and is currently estimated to have cost £20mn to UK consumers. The NCA says that it is working with the FBI and several European authorities in a concerted campaign to take down the botnet behind the current crop of infections. Dridex is a derivative of the Cridex strain of banking malware, which itself stole many techniques from the GameOver Zeus malware package.

An anonymous reader writes: Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better? Let's look at things from the perspective of a network administrator trying to defend an organization. If someone wants to determine who was behind an attack, maybe the first thing they'll do is use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What's not to say that whoever was responsible for the attack also compromised that server? What makes you think that site's owner will cooperate with your investigation?

An anonymous reader writes: The U.S. Department of Justice has announced that Dimitry Belorossov, a.k.a. Rainerfox, an operator of the "Citadel" malware, has been sentenced to 4.5 years in prison following a guilty plea. Citadel was a banking trojan capable of stealing financial information. Belorossov and others distributed it through spam emails and malvertising schemes. He operated a 7,000-strong botnet with the malware, and also collaborated to improve it. The U.S. government estimates Citadel was responsible for $500 million in losses worldwide. Belorossov will have to pay over $320,000 in restitution.