Botnet

Dutch Police Takedown C&Cs Used By Grum Botnet 45

wiredmikey writes "Dutch authorities have pulled the plug on two secondary servers used by the Grum botnet, a large botnet said to produce about 17% of the world's spam. According to researchers from FireEye, the backup C&C servers were located in the Netherlands, and once word of their existence was released, Dutch authorities quickly seized them. While any C&C server takedown is a win, the impact may be minimal, as the two primary servers are fully active, and the datacenters hosting them are unresponsive to fully documented abuse reports. That being said, FireEye's Atif Mushtaq noted that the botnet does has some weak spots, including the fact that Grum has no failback mechanism, has just a few IPs hardcoded into the binaries, and the botnet is divided into small segments, so even if some C&Cs are not taken down, part of botnet can still remain offline. The removal of the C&C servers shines light on how quickly some law enforcement agencies work, given that proof of their existence is just over a week old."
Security

Paul Vixie On DNS Changer: We're Dealing With Malware the Wrong Way 163

AlistairCharlton writes with this snippet: "Victims of the DNS Changer malware think they have better things to do than check their internet security, and as a digital society we're dealing with malware in completely the wrong way. These are the thoughts of Paul Vixie who worked with the FBI in intercepting servers used by a gang of Estonian hackers who made millions of dollars from redirecting internet users away from the websites they requested, directing them to advertisements instead." The linked article also offers an interesting description of how the FBI's quiet takeover of a botnet came to be.
Android

Microsoft Engineer Discovers Android Spam Botnet, Google Denies Claim 152

An anonymous reader writes "Microsoft engineer Terry Zink has discovered Android devices are being used to send spam. He has identified an international Android botnet and outlined the details on his MSDN blog. A closer look at the e-mails' header information shows all the messages come from compromised Yahoo accounts. Furthermore, they are also stamped with the 'Sent from Yahoo! Mail on Android' signature. Google has denied the allegations. 'The evidence does not support the Android botnet claim,' a Google spokesperson said in a statement. 'Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using.'"
Government

FBI To Shut Down DNSChanger Servers Monday -- But Should It Cut Off 300k PCs? 140

nk497 writes "The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"
Security

Ask Slashdot: Security Digests For the Home Network Admin? 123

New submitter halcyon1234 writes "I'm currently cutting the webhost cord, and setting up a simple webserver at home to host a couple hobby websites and a blog. The usual LAMP stuff. I have just enough knowledge to be dangerous; I know how to get everything set up and get it up to date, but not enough to be sure I'm not overlooking common, simple security configurations. And then there's the issue of new vulnerabilities being found that I'm not even aware of. The last thing I want is to contribute to someone's botnet or spam relay. What readings/subscriptions would you recommend for security discussions/heads up? Obviously I already read (too much) Slashdot daily, which I credit for hearing about some major security issues. Are there any RSS feeds or mailing lists you rely on for keeping up to date on security issues?"
Botnet

White House Announces Initiative To Fight Botnets 89

benfrog writes "ISPs and financial-services companies would share data about computers made into botnets under a pilot program announced today by the Obama administration. From the article: 'The voluntary principles announced today include coordinating across sectors and confronting the problem globally. They were developed by the Industry Botnet Group, comprising trade groups including the Business Software Alliance and TechAmerica.' The White House is also backing a bill proposed by Joe Lieberman that would put the Department of Homeland Security in charge of cybersecurity of vital systems such as power grids and transportation networks."
Botnet

Four Years Jail For Bredolab Botnet Author 47

angry tapir writes "The creator of the Bredolab malware has received a four-year prison sentence in Armenia for using his botnet to launch DDoS attacks that damaged multiple computer systems owned by private individuals and organizations. G. Avanesov was sentenced by the Court of First Instance of Armenia's Arabkir and Kanaker-Zeytun administrative districts for offenses under Part 3 of the Article 253 of the country's Criminal Code — intentionally causing damage to a computer system with severe consequences."
Australia

Employee "Disciplined" For Installing Bitcoin Software On Federal Webservers 86

Fluffeh writes "Around a year ago, a person working for the ABC in Australia with the highest levels of access to systems got caught with his fingers on the CPU cycles. The staffer had installed Bitcoin mining software on the systems used by the Australian broadcaster. While the story made a bit of a splash at the time, it was finally announced today that the staffer hadn't been sacked, but was merely being disciplined by his manager and having his access to systems restricted. All the stories seem a little vague as to what he actually installed, however — on one side he installed the software on a public facing webserver, and the ABC itself admits, 'As this software was for a short time embedded within pages on the ABC website, visitors to these pages may have been exposed to the Bitcoin software,' and 'the Coalition (current Opposition Parties) was planning on quizzing the ABC further about the issue, including filing a request for the code that would have been downloaded to users' machines,' but on the other side there is no mention of the staffer trying to seed a Bitcoin mining botnet through the site, just that mining software had been installed."
Security

Flashback Click Fraud Campaign Was a Bust 29

zarmanto writes "It seems the Flashback botnet has netted their creators nothing but frustration. Flashback was tagged early on by anti-virus vendors, who promptly sink-holed many of the command & control addresses, and essentially crippled the hacker's ability to control the vast majority of the Flashback botnet... but that's not the best part. The Flashback spawned click fraud campaign resulted in... nada! It seems that their pay-per-click affiliate may be on to their scheme, as they refused to pay out. Score one for the good guys, for once."
Security

A Week After Apple's Fix, Flashback Still Infects Half a Million Macs 161

Sparrowvsrevolution writes "Security firm Dr. Web released new statistics Friday showing that the process of eliminating Flashback from Macs is proceeding far slower than expected: On Friday the security firm, which first spotted the Mac botnet earlier this month, released new data showing that 610,000 active infected machines were counted Wednesday and 566,000 were counted Thursday. That's a slim decrease from the peak of 650,000 to 700,000 machines infected with the malware when Apple released its cleanup tool for the trojan late last week. Earlier in the week, Symantec reported that only 140,000 machines remained infected, but admitted Friday that an error in its measurement caused it to underestimate the remaining infections, and it now agrees with Dr. Web's much more pessimistic numbers."
Botnet

Apple Updates Java To Include Flashback Removal 121

Fluffeh writes "In the third update to Java that Apple has released this week, the update now identifies and removes the most common variants of the Flashback malware that has infected over half a million Apple machines. 'This Java security update removes the most common variants of the Flashback malware,' Apple wrote in the support document for the update. 'This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.'"
Botnet

Stuxnet Allegedly Loaded By Iranian Double Agents 167

First time accepted submitter rainbo writes "According to a report from ISSSource, a saboteur who was likely a member of an Iranian dissident group loaded the Stuxnet virus on to a flash drive and infected machines at the Natanz nuclear facility. Iran's intelligence minister, Heydar Moslehi, said that an unspecified amount of 'nuclear spies' were arrested on ties to this attack. Some officials believe these spies belonged to Mujahedeen-e-Khalq (MEK), which is used as the assassination arm of the Israeli Mossad."
Botnet

Apple Snubs Security Firm That Spotted Mac Botnet 409

Sparrowvsrevolution writes "Now that it's being increasingly targeted by botnet herders, Apple has a thing or two to learn about cooperating with friendly security researchers. Boris Sharov, the CEO of Dr. Web, the Russian security company that first reported more than half a million Macs were infected with Flashback malware last week, says when his company alerted Apple to the botnet, it never responded to him. Worse yet, on Monday Apple asked a Russian registrar to take down a domain it said was being used to host a command and control server for Flashback, but in fact was a 'sinkhole' that Dr. Web had set up to observe and analyze the botnet. Sharov describes the lack of communication and cooperation as a symptom of a company that has never before had to work closely with the security industry. 'For Microsoft, we have all the security response team's addresses,' he says. 'We don't know the antivirus group inside Apple.'"
Spam

Good News: A Sustained Drop In Spam Levels 75

Orome1 writes "Industry and government efforts have dealt a significant blow to spam, according to a Commtouch report that is compiled based on an analysis of more than 10 billion transactions handled on a daily basis. The sustained decrease in spam over the last year can be attributed to many factors, including: Botnet takedowns, increased prosecution of spammers and the source industries such as fake pharmaceuticals and replicas. However, spam is still four times the level of legitimate email and cybercriminals are increasing their revenues from other avenues, such as banking fraud malware."
Security

Researchers Say Kelihos Gang Is Building New Botnet 110

alphadogg writes "The cyber-criminal gang that operated the recently disabled Kelihos botnet has already begun building a new botnet with the help of a Facebook worm, according to security researchers from Seculert. Security experts from Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, announced that they took control of the 110,000 PC-strong Kelihos botnet on Wednesday using a method called sinkholing. That worm has compromised over 70,000 Facebook accounts so far and is currently distributing a new version of the Kelihos Trojan."
Security

MacControl Trojan Being Used In Targeted Attacks Against OS X Users 187

Trailrunner7 writes "Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers have now taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks."
Botnet

Taking Down DNSChanger: A First Person Account 46

penciling_in writes "Paul Vixie shares his personal account of the DNSChanger takedown operation, working with the FBI and a worldwide team. He also explains the delay issues in identifying and notifying victims, which resulted in the FBI asking the judge for an extension. They were given four more months. 'On July 9 2012 the replacement DNS servers operated by ISC will be shut down and any victims who still depend on these servers will face new risks,' he warns. A half-dozen national Internet security teams around the world have created special websites that will display a warning message to potential victims of the DNS Changer infection. The full list of these 'DNS Checking' websites is published by the DNS Changer Working Group."
Botnet

Political Party's Leadership Election Hit By DDoS Attack 100

New submitter lyran74 writes "Saturday's electronic leadership vote for Canada's New Democratic Party was plagued by delays caused by a botnet DDoS attack, coming from over 10,000 machines. Details are still scarce, but Scytl, who provided electronic voting services, will have to build more robust systems in the future in anticipation of such attacks. Party and company officials say an audit proved the systems and integrity of the vote were not compromised."
Botnet

Microsoft Leads Sting Operation Against Zeus Botnets 114

wiredmikey writes "Microsoft, in what it called its 'most complex effort to disrupt botnets to date,' and in collaboration with partners from the financial services industry, has successfully taken down operations that fuel a number of botnets that make up the notorious Zeus family of malware. In what Microsoft is calling 'Operation b71,' Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois. The move was to seize and preserve data and evidence from the botnets for the case. In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus."

Slashdot Top Deals