nandemoari writes "When security officials decide to 'go after' computer malware, most conduct their actions from a defensive standpoint. For most of us, finding a way to rid a computer of the malware suffices — but for one computer researcher, however, the change from a defensive to an offensive mentality is what ended the two year chase of a sinister botnet once and for all. For two years, Atif Mushtaq had been keeping the notorious Mega-D bot malware from infecting computer networks. As of this past November, he suddenly switched from defense to offense. Mega-D had forced more than 250,000 PCs to do its bidding via botnet control."

Trailrunner7 writes to mention that malware and botnet operators appear to be escalating to the next level by setting up their own virtual data centers. This elevates the criminals to the ISP level, making it much harder to stop them. "The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation. 'It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,' said Alex Lanstein, senior security researcher at FireEye, an anti-malware and anti-botnet vendor. 'It takes one more level out of it: You own your own IP space and you're your own ISP at that point.'"

coomaria writes "Thought that 2009 was the year botnets died? Well, think again: compromised computers were responsible for distributing 83.4% of the 107 billion spam messages sent around the world every single day this year, and it's going to get worse if intelligent and autonomous botnets arrive in 2010 as predicted."

snydeq writes "Security researchers have spotted the Zeus botnet running an unauthorized command and control center on Amazon's EC2 cloud computing infrastructure. This marks the first time Amazon Web Services' cloud infrastructure has been used for this type of illegal activity, according to threat researcher Don DeBolt. The hackers got onto Amazon's infrastructure by hacking into a Web site hosted on Amazon's servers and then secretly installing their command and control infrastructure."

darthcamaro writes "America is no longer the spam king. According to Cisco, US-originated spam dropped by over two trillion messages — American-based IP addresses sent about 6.2 trillion spam messages. The new world leader is Brazil at 7.7 trillion messages. 'I'm not completely surprised to see US falling to number two in the spam stats, but I didn't expect it to happen yet,' said Cisco Fellow Patrick Peterson. 'I was really gratified to see the actual spam volume decrease, not just ranking, but we [also] decreased the amount of spam that is pouring out of the United States.'" The drop in US spam might have had something to do with the temporary shutdown of the McColo spam ISP.

buchner.johannes writes "I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects. The malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads. I tested it to be injected by a PHP script (even circumventing safe mode), so that the Web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files. The aim of the exercise was to provide a payload so security people can 'pwn' systems to show security holes, without doing harm (such as deleting files or disrupting normal operation). But now I am unsure of whether it is ethically OK to release this toolkit, which, by ripping out the BOINC payload and putting in something really evil, could be turned into proper Linux malware. On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary. Technically, it is a nice piece, but should I release it? I don't want to turn the Linux desktop into Windows, hence I'm slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?"

An anonymous reader writes "After the ikee worm that displayed a picture of Rick Astley on jailbroken iPhones, the first malicious iPhone worm (Google translation; original, in Dutch) has now been discovered in the wild. Internet provider XS4ALL in the Netherlands encountered several of such devices (link in Dutch) on the wireless networks of their customers and put out a warning. After obtaining a copy of the malware it was discovered that the jailbroken phones, which are exploited through openSSH with a default password, scan IP ranges of mobile internet providers for other vulnerable iPhones, phone home to a C&C botnet server, are able to update themselves with additional malware and have the ability to dump the SMS database as well. Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present."

z4ns4stu writes "Shane Harris of the National Journal describes how the US government plans to use, and has successfully used, cyber-warfare to disrupt the communications of insurgents in Iraq. 'In a 2008 article in Armed Forces Journal, Col. Charles Williamson III, a legal adviser for the Air Force Intelligence, Surveillance, and Reconnaissance Agency, proposed building a military "botnet," an army of centrally controlled computers to launch coordinated attacks on other machines. Williamson echoed a widely held concern among military officials that other nations are building up their cyber-forces more quickly. "America has no credible deterrent, and our adversaries prove it every day by attacking everywhere," he wrote. ... Responding to critics who say that by building up its own offensive power, the United States risks starting a new arms race, Williamson said, "We are in one, and we are losing."'"

The Register is reporting on the takedown of a botnet once responsible for 1/3 of the world's spam. The deed was done by researchers from the security firm FireEye, who detailed the action in a series of blog posts. PC World's coverage estimates that lately the botnet has accounted for 4% of spam. From the Register: "After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. ... Almost immediately, the spam stopped, according to M86 Security blog. ... The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change. ... With [the] head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control..."

itwbennett writes "'As part of its design, the Bahama botnet not only turns ordinary, legitimate PCs into click-fraud perpetrators that dilute the effectiveness of ad campaigns. It also modifies the way these PCs locate certain Web sites through DNS poisoning,' explains Juan Carlos Perez in an ITworld article. 'In the case of Google.com, compromised machines take their users to a fake page hosted in Canada that looks just like the real Google page and even returns results for queries entered into its search box. It's not clear where the Canadian server gets these results. What is evident is that the results aren't 'organic' direct links to their destinations, but are instead masked cost-per-click (CPC) ads that get routed through other ad networks or parked domains, some of which are in on the scam and some of which aren't.' 'Regardless, CPC fees are generated, advertisers pay, and click fraud has occurred,' Click Forensics reported on Thursday in a blog posting." Related: Techcrunch reports on a massive Chinese click-fraud ring controlling 200,000 IP addresses.

thadmiller writes "Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections if the computers are behaving as if they have been compromised by malware. For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus, taking control of the system and using it to send spam as part of a botnet." Update: Jason Livingood of Comcast's Internet Systems Engineering group sent to Dave Farber's "Interesting People" mailing list a more detailed explanation of what this trial will involve.

TechReviewAl writes "Researchers at the University of California at Santa Barbara hijacked the Mebroot botnet for about a month and used it to study drive-by downloading. The researchers managed to intercept Mebroot communications by reverse-engineering the algorithm used to select domains to connect to. Mebroot infects legitimate websites and uses them to redirect users to malicious sites that attempt to install malware on a victim's machine. The team, who previously infiltrated the Torpig botnet, found that at least 13.3 percent of systems that were redirected by Mebroot were already infected and 70 percent were vulnerable to about 40 common attacks."

Today Spamhaus announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters. "This spam is sent from many small IP ranges on many Internet Service Providers (ISPs), using many different domains, and the IPs and domains change rapidly, making it difficult for people and places to detect and block this spam. Most importantly, while each host/IP usually sends a modest volume of bulk email, collectively these anonymous IP ranges send a great deal of spam, and the quantities of this type of spam have been increasing rapidly over the past few months." A post at the Enemies List anti-spam blog wonders at the impact this will have on email service providers and their customers. The author references a conversation he had with an employee from one of these providers: "... I replied that I expected it to mean the more legitimate clients of the sneakier gray- and black-hat spammers would migrate to more legitimate ESPs — suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on."

ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."

An anonymous reader writes "MessageLabs unveiled a list of the top US spammed states, with surprising results — the spam capital of the US is Idaho, with 93.8 percent of spam, far exceeding the global spam rate for September 2009 of 86.4 percent. Idaho has jumped 43 spots since 2008 when it was ranked the 44th most spammed state. The difference can be attributed to the resilient and aggressive botnet market as well as a higher volume of global spam that has ensued since the beginning of the credit crisis toward the end of 2008."

oDDmON oUT writes "'Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. ... Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands,' writes Symantec employee Gavin O Gorman. He goes on to state that 'the Trojan itself is quite simple. It is distributed as a DLL,' and while the decrypted commands indicate it is used 'for reconnaissance and targeted attacks,' he does go on record as saying, 'It's worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.'"

The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"

DikSeaCup writes "Arbor Network's Jose Nazario, an expert on botnets, discovered what looks to be the first reported case of hackers using Twitter to control botnets. 'Hackers have long used IRC chat rooms to control botnets, and have continually used clever technologies, such as peer-to-peer strategies, to counter efforts to track, disrupt and sometimes decapitate the bots. Perhaps what's surprising then is that it's taken so long for hackers to take Twitter to the dark side.' The next step, of course, is to code the tweets in such a way that they aren't so suspicious."

An anonymous reader writes "A Georgian blogger with accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube was targeted in a denial of service attack that led to yesterday's site-wide outage at Twitter and problems at the other sites on, according to a Facebook executive. The blogger, who uses the account name 'Cyxymu' (the name of a town in the Republic of Georgia), had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNet News." Here are user Cyxymu's LiveJournal Google cache and LiveJournal account (unreachable at this writing). Larry Magid writes on CNet that this individual blogs about independence of a breakaway region of Georgia. Macworld has some speculation in other directions on the motivations behind the DDoS attack.
Update: 08/07 19:52 GMT by KD : Cyber attacks on Cyxymu are not new. For over a year Evgeny Morozov has been calling attention to him as the first digital refugee.

ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"