×
Botnet

Koobface Malware Traced To 5 Russians 64

Posted by timothy from the but-that's-right-near-tampa dept.
New submitter theonlyholle writes "Naked Security, the Sophos IT security blog, has published an article about the authors of the Koobface malware that plagued Facebook users in 2008 and the investigation that led to their identification. Apparently the botnet was created by five Russians from St. Petersburg."
Microsoft

Microsoft Readying Massive Real Time Threat Intelligence Feed 89

Posted by samzenpus from the dangers-of-the-day dept.
chicksdaddy wrote in with a link to a story about a Microsoft project that will share security information in real time with customers and law enforcement. The article reads "Microsoft has proven that it can take down huge, global botnets like Kelihos, Rustock and Waldec. Now the company is ready to start making the data it acquires in those busts available to governments, law enforcement and customers as a real time threat intelligence feed. Representatives from the Redmond, Washington software maker told an audience at the International Conference on Cyber Security (ICCS) here that it was testing a new service to distribute threat data from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations."
Botnet

Leaked Online Chats Expose Author of Largest Spam Botnet 78

Posted by Soulskill from the cover-blown dept.
An anonymous reader writes "New analysis of financial records and online chat logs retrieved from the operators of Spamdot.biz — until recently the most notorious spam affiliate program — provides tantalizing clues about the identity of the man behind Cutwail, currently the largest spam botnet. Brian Krebs tells the story of 'Google,' the screen name used by the now-27-year-old botmaster who was part of a team of programmers in Moscow. Over the years, Cutwail has shifted from a spam cannon for male enhancement pills to a major vector for distributing malicious software."
Security

Researchers Build TCP-Based Spam Detection 81

Posted by samzenpus from the beans-without-spam dept.
itwbennett writes "In a presentation at the Usenix LISA conference in Boston, researchers from the Naval Academy showed that signal analysis of factors such as timing, packet reordering, congestion and flow control can reveal the work of a spam-spewing botnet. The work 'advanced both the science of spam fighting and ... worked through all the engineering challenges of getting these techniques built into the most popular open-source spam filter,' said MIT computer science research affiliate Steve Bauer, who was not involved with the work. 'So this is both a clever bit of research and genuinely practical contribution to the persistent problem of fighting spam.'"
Twitter

Twitter Bots Drown Out Anti-Kremlin Tweets 125

Posted by timothy from the more-of-the-same dept.
tsu doh nimh writes "It appears that thousands of Twitter accounts created in advance to blast automated messages are being used to drown out Tweets sent by bloggers and activists this week who are protesting the disputed presidential elections in Russia. Trend Micro first observed on Wednesday the bogus tweets flooding popular hashtags being used by Russians protesting the election and the arrests of hundreds of protesters, including prominent anti-corruption blogger Alexei Navalny. Today, blogger Brian Krebs posted evidence that thousands of accounts apparently auto-created in mid-2011 were being used to flood more than a dozen hashtags connected to the protests, and appear to be all following each other and one master account, presumably the botnet controller."
Security

Hacked MIT Server Used To Stage Attacks 75

Posted by timothy from the always-hurt-the-ones-you-love dept.
wiredmikey writes "A compromised server at the Massachusetts Institute of Technology (MIT) has been identified as being used as a vulnerability scanner and attack tool, probing the Web for unprotected domains and injecting code. According to researchers, the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular crime kit used by criminals online. The attacks started in June, and an estimated 100,000 domains could have been compromised. Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites. These types of attacks are how BlackHat SEO scams are propagated, which target search results in order to spread rogue anti-virus or other malware. In addition, compromised hosts are also leveraged for other schemes, such as spam or botnet control."
Botnet

Microsoft Drops Suit Against Firm In Botnet Case 49

Posted by samzenpus from the on-second-thought dept.
wiredmikey writes "Microsoft has dismissed a lawsuit against a company it contended a month ago was at the heart of the now-defunct Kelihos botnet. In September, Microsoft named Dominique Piatti and his company dotFree Group SRO as controllers of the botnet. The move marked the first time Microsoft had named a defendant in one of its botnet-related civil suits. 'Since the Kelihos takedown, we have been in talks with Mr. Piatti and dotFree Group s.r.o. and, after reviewing the evidence voluntarily provided by Mr. Piatti, we believe that neither he nor his business were involved in controlling the subdomains used to host the Kelihos botnet,' blogged Richard Domingues Boscovich, Senior Attorney for Microsoft's Digital Crimes Unit. 'Rather, the controllers of the Kelihos botnet leveraged the subdomain services offered by Mr. Piatti's cz.cc domain.' In regards to Kelihos, Boscovich said Microsoft is continuing its legal fight against the 22 'John Does' listed as co-defendants in the lawsuit."
Security

New JBOSS Worm Infecting Unpatched Servers 47

Posted by timothy from the malware-spreadeth dept.
Trailrunner7 writes "There is a new worm circulating right now that is compromising servers running older versions of the JBoss Application Server and then adding them to a botnet. The worm also attempts to install a remote access tool in order to give the attacker control over the newly infected server. The worm has been circulating for a couple of days at least, and it's not clear right now how many servers have been compromised or what the origins of it are. It apparently exploits an old vulnerability in the JBoss Application Server, which was patched in April 2010, in order to compromise new machines. Once that's accomplished, the worm begins a post-infection routine that includes a number of different steps."
Botnet

Most Sophisticated Rootkit Getting an Overhaul 104

Posted by Soulskill from the evil-upgrades dept.
jfruhlinger writes "TDL4, a rootkit that helps build a powerful botnet, is pegged by security vendor ESET as one of the most sophisticated pieces of malware in the world. But its creators aren't resting on their laurels; they're rewriting some of the code from the ground up to make it difficult for antimalware to detect it, creating a hidden boot partition that guarantees malware code will be loaded even before the operating system is. It's part of a plan to turn TDL4 into a turnkey product that can be sold to other criminal operations."
Botnet

Hackers Buying IPv4 Blocks To Evade Detection 89

Posted by Soulskill from the wasting-good-corners-on-bad-hot-dog-stands dept.
Trailrunner7 writes "The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. If the botnet operators do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers. Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPv4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites appeared as the IPv4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware."
Botnet

The Inside Story of the Kelihos Takedown 83

Posted by samzenpus from the with-a-little-help-from-my-friends dept.
Trailrunner7 writes "Earlier this week, Microsoft released an announcement about the disruption of the Kelihos botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams, and distributed denial-of-service attacks. The botnet had a complex, multi-tiered architecture as well as a custom communication protocol and three-level encryption. Kaspersky Lab researchers did the heavy lifting, reversing the protocol and cracking the encryption and then sink-holing the botnet. The company worked closely with Microsoft's Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system."
Botnet

Microsoft Disables Kelihos Botnet 94

Posted by Unknown Lamer from the i'm-down-to-20k-viagra-offers-per-day dept.
Trailrunner7 writes with an excerpt from an article in Threatpost: "Continuing its legal assault on botnet operators and the hosting companies that the criminals use for their activities, Microsoft has announced new actions against a group of people it contends are responsible for the operation of the Kelihos botnet. The company has also helped to take down the botnet itself and says that Kelihos's operators were using it not only to send out spam and steal personal information but also for some more nefarious purposes."
Botnet

SpyEye Botnet Nets Fraudster $3.2M In Six Months 99

Posted by Soulskill from the get-rich-quick-with-malware dept.
wiredmikey writes "The SpyEye Trojan has a well-earned place of respect in the cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research provides yet another reminder of why. According to security researchers, a hacker in his early 20s known by the alias 'Soldier' led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits. Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies."
Australia

Aussie Blogger Hit With DDoS Death Threats 125

Posted by timothy from the bad-childhoods-continue dept.
mask.of.sanity writes "An Australian blogger who blew the lid on emerging domain-name fraud campaigns has received death threats from the scammers. His blog and domain parking company are still being hit with a large distributed denial of service attack that has the death threats embedded as HTML links within its logs. Australia's government CERT team and the U.S. Secret Service (blog servers were hosted on U.S. soil) are pursuing the botnet's command and control servers. Ten days later, the victim is still being attacked and is fighting a cat-and-mouse game as IP address ranges change."
Security

Rent Your Own Botnet 79

Posted by Unknown Lamer from the wake-up-with-missing-kidney dept.
An anonymous reader writes "New research shows that the TDSS/TDL-4 botnet, widely considered one of the largest and most sophisticated, can be rented via a Web storefront available to all comers. Researchers from Kaspersky found that the latest version of TDSS installs a file that sets the machine up as a proxy for anonymous browsing, and then phones home to awmproxy.net, which rents the proxies for rates from $3 per day to $300 a week. The curators of this service even created a Firefox add-on to help customers. 'Interestingly, AWMproxy says it accepts payment via PayPal, MasterCard, and Visa.'"
Spam

Malicious Spam Spikes To 'Epic' Level 130

Posted by samzenpus from the whack-a-mole dept.
Trailrunner7 writes "There has been a huge spike in spam volume in the last few days, including a massive amount of malicious spam with infected attachments, and researchers say that levels of junk mail are now far higher than they were before the takedown of the notorious Spamit affiliate program last fall. The huge spike comes at a time when spam should, in fact, be dropping because of the takedown of the Rustock botnet, the Spamit network and other botnets. 'From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors,' M86 researcher Rodel Mendrez said."
Botnet

Microsoft Offers $250,000 Reward For Botnet Info 99

Posted by Soulskill from the dead-or-alive dept.
Orome1 writes "Microsoft decided to extend their efforts to establish the identity of those responsible for controlling the Rustock botnet by issuing a $250,000 reward for new information that results in the identification, arrest and criminal conviction of such individual(s). 'While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions.' Residents of any country are eligible for the reward pursuant to the laws of that country."
Botnet

Spammers Prefer Compromised Accounts To Botnets 53

Posted by CmdrTaco from the i-prefer-pie-to-cake dept.
Orome1 writes "Spammers today favor compromised accounts for sending spam, gradually shifting distribution away from botnets, according to Commtouch. The changed tactic has emerged as spam levels dropped dramatically, following several high-profile botnet takedowns. Spammers are now using a combination of malware and phishing to compromise legitimate accounts and then using these accounts to send low-volume spam outbreaks."
Botnet

Microsoft: No Botnet Is Indestructible 245

Posted by timothy from the when-st-peter-calls-us-all-out dept.
CWmike writes "No botnet is invulnerable, a Microsoft lawyer involved with the Rustock take-down said Tuesday, countering claims that another botnet was 'practically indestructible.' Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit said, 'If someone says that a botnet is indestructible, they are not being very creative legally or technically. Nothing is impossible. That's a pretty high standard.' Instrumental in the effort that led to the seizure of Rustock's command-and-control servers in March, Boscovich said Microsoft's experience in take-downs of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated. 'To say that it can't be done underestimates the ability of the good guys,' Boscovich said. 'People seem to be saying that the bad guys are smarter, better. But the answer to that is 'no.''"
Security

Microsoft Says Reinstall Overkill In Removing Rootkit 203

Posted by timothy from the try-this-handy-therapeutic-coma dept.
CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."

Slashdot Top Deals