CWmike writes "A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"

Orome1 writes "Bitcoin has definitely caught the attention of criminals. Even though it has been calculated that the use of botnets for Bitcoin mining is still not quite as lucrative as renting them out for other purposes, targeting people who have them in their digital wallets is quite another matter. Symantec researchers have spotted in the wild a Trojan dedicated to this specific purpose. Named Infostealer.Coinbit, it searches for the Bitcoin wallet.dat file on the infected computer and sends it to the criminal(s)."

itwbennett writes "Although it is extremely unlikely that anyone associated with Rustock will step forward, Microsoft has taken out ads in two Russian newspapers to notify unnamed defendants in the legal suit. The move is a legal formality required as part of Microsoft's ongoing lawsuit in the U.S. against operators of Rustock. The advertisements will run for 30 days in the Delovoy Petersburg newspaper, located in St. Petersburg, and in The Moscow News, a daily newspaper, wrote Richard Boscovich, a senior attorney with Microsoft's Digital Crimes Unit."

Orome1 writes "Spammers are establishing their own fake URL-shortening services to perform URL redirection, according to Symantec. This new spamming activity has contributed to this month's increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March. Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer's fake URL-shortening Web site, which in turn redirects to the spammer's own Web site."

It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.

CWmike writes "Federal authorities will remotely uninstall the Coreflood botnet Trojan from some infected Windows PCs over the next four weeks. Coreflood will be removed from infected computers only when the owners have been identified by the DOJ and they have submitted an authorization form to the FBI. The DOJ's plan to uninstall Coreflood is the latest step in a coordinated campaign to cripple the botnet, which controls more than 2 million compromised computers. The remote wipe move will require consent, and the action does come with warnings from the court that provided the injunction against the botnet, however. 'While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers,' the authorization form reads. FBI Special Agent Briana Neumiller said, 'The process does not affect any user files on an infected computer, nor does it ... access any data on the infected computer.' The DOJ and FBI did not say how many machines it has identified as candidates for its uninstall strategy, but told the judge that FBI field offices would be notifying affected people, companies and organizations."

itwbennett writes "In an unprecedented move, the Department of Justice (DOJ) and the FBI have been issued a temporary restraining order that will allow the FBI and the US Marshal for the District of Connecticut to set up servers at the Internet Systems Consortium or other ISPs that would stop infected computers from continuing to spread the Coreflood virus, according to court records. This week, the DOJ and FBI seized five servers that controlled Coreflood-infected computers, the DOJ said in a press release. The agencies also seized 29 domain names used by the Coreflood botnet to communicate with the servers."

wiredmikey writes "The Rustock Botnet was sending as many as 13.82 billion spam emails each day before being taken down early this month by an effort headed by Microsoft in cooperation with authorities and the legal system. According to Symantec's March 2011 MessageLabs Intelligence Report, the Rustock botnet had been responsible for an average of 28.5% of global spam sent from all botnets in March. Following the takedown, when the Rustock botnet was no longer cranking out spam by the billions, global spam volumes fell by one-third. For reference, toward the end of 2010, Rustock had been responsible for as much as 47.5% of all spam, sending approximately 44.1 billion e-mails per day, according to MessageLabs stats. Since then, Bagle, a botnet that wasn't even on MessageLabs' top ten spam-sending botnets at the end of 2010, has taken over from Rustock as the most active spam-sending botnet this year."

h4rm0ny writes "Microsoft, in cooperation with Federal agents, conducted what the Wall Street Journal described as 'sweeping legal attacks' as they entered facilities in Kansas City, Scranton, Pa, Denver, Dallas, Chicago, Seattle and Columbus, Ohio to seize alleged 'command and control' machines for the Rustock botnet — described as the largest source of spam in the world. The operation is intended to 'decapitate' the botnet, preventing the seized machines from sending orders to suborned PCs around the world."

An anonymous reader writes "Steve Santorelli gets computing experts and law enforcers to cooperate in a global fight against organized Internet crime. This article talks about the role of law enforcement in identifying and battling online threats as they change and evolve. Quoting: 'The common wisdom about hacking and cybercrime is, in Santorelli's view, severely out of date. He says cybercriminals aren’t lone wolves; they are financed and directed by international criminal syndicates. ... Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world. There is even evidence that some syndicates are investing in research and development, looking to create proprietary, next-generation hacking tools, Santorelli says.'"

RedEaredSlider writes "The Conficker worm is still a threat, even though it is more than two years old and nobody has used it in a botnet attack yet. The problem is that so many machines are infected (largely because many don't realize it) and it's such a flexible piece of malware."

Trailrunner7 writes "Spammers aren't the only ones who have figured out that social networks like Twitter and Facebook are good for business. Sophisticated hackers conducting targeted attacks are also using the networks as a tool to manage malware installations on victims' networks. Mandiant's latest "M-Trends" report, released on Thursday, says that the company has observed an increasing number of so-called "Advanced Persistent Threats" that are hijacking legitimate social networks and Web based services, including Facebook, Google Chat and MSN as command and control networks for malware installations. The revelation is part of a larger trend that saw sophisticated attacks on commercial entities outstrip attacks on the networks of government agencies and defense industry players, Mandiant reported."

alphadogg writes "A new report from Akamai Technologies (CT: Requires login) shows that hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks. The report, which covers the third quarter of 2010, shows that 10 percent of attacks that came from mobile networks are directed at Port 23, which Telnet uses. That marks a somewhat unusual spike for the aging protocol used to log into remote servers but that has been gradually replaced by SSH."

Trailrunner7 writes "The amount of spam hitting users' inboxes fell off a cliff in late December, with many security experts attributing the decline to the sudden disappearance of the Rustock botnet and other networks from the spam business. But the level of spam has begun to gain back some of the ground it lost today as other spammers have taken up the slack. Researchers say that after the sudden drop-off in spam volumes, things stayed fairly quiet for a time, but now it seems that other spammers have picked up where Rustock and the other spamming operations left off. The volume of spam took a big jump upward in the last 24 hours, according to researchers at Websense. The volume of spam hasn't made it all the way back to the levels of the last few months of 2010, but it seems to be on the way."

Batblue writes "A botnet fingered for stealing a treasure trove of information last year has struck again, harvesting sensitive documents from dozens of government agencies and contractors, according to a pair of security experts. The botnet, dubbed 'Kneber' by Alex Cox, principal research analyst at NetWitness, was behind a campaign of fake Christmas e-mails waged two weeks ago against government workers. NetWitness deals in advanced threat detection technologies, and conducts post mortem network forensics for firms that have been hit with attacks or data breaches."

CWmike writes "Microsoft confirmed on Tuesday an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug. A patch is under construction, but Microsoft does not plan to issue an emergency update to fix the flaw. The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake. Metasploit says successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet."

Trailrunner7 writes "A new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics — in combination with fast-flux — to attempt to compromise unsuspecting users. The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine."

wiredmikey writes that researchers from Lookout Mobile have discovered a sophisticated Trojan targeting Android devices. "The company says the mobile malware is 'The most sophisticated Android malware we've seen to date. Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user's phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.' What makes the Trojan different from most 'standard' mobile malware is that Geinimi is being 'grafted' onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets."

supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."

holy_calamity writes "Technology Review reports that researchers installed 3000 copies of Windows XP on a high performance cluster at a Canadian university and set loose the Waledac botnet on them. It's the first time researchers have built and operated their own botnet as a strategy to better understand those at large on the internet. Doing it inside an experimental computing cluster removes the legal and ethical complications of experimenting with live botnets that control innocent users' machines."