×
Botnet

This Unusual Botnet Targets Scientists, Engineers, and Academics (zdnet.com) 67

Posted by BeauHD from the unusual-suspect dept.
schwit1 quotes a report from ZDNet: A botnet and cyberattack campaign is infecting victims across the globe and appears to be tracking the actions of specially selected targets in sectors ranging from government to engineering. Researchers from Forcepoint Security Labs have warned that the campaign it has dubbed 'Jaku' -- after a planet in the Star Wars universe because of references to the sci-fi saga in the malware code -- is different to and more sophisticated than many botnet campaigns. Rather than indiscriminately infecting victims, this campaign is capable of performing "a separate, highly targeted operation" used to monitor members of international non-governmental organizations, engineering companies, academics, scientists and government employees, the researchers said. The findings are set out in Forcepoint's report on Jaku, which outlines how of the estimated 19,000 unique victims, 42 percent are in South Korea and a further 31 percent in Japan. Both are countries and neighbors of North Korea. A further nine percent of Jaku victims are in China, six percent in the US, with the remainder spread across 130 other countries.
Crime

Meet The Company That Poached The FBI's Entire Silk Road Investigation Team (dailydot.com) 133

Posted by BeauHD from the sunny-side-up dept.
Patrick O'Neill quotes a report from The Daily Dot: The FBI team that brought down Silk Road has a new home. After headline-grabbing investigations, arrests, and prosecutions on some of America's highest-profile cybercriminals, five of U.S. law enforcement's most prized cybercrime aces have all left government service for greener pastures -- a titan consulting firm called Berkeley Research Group (BRG). BRG's newly hired gang of five includes former federal prosecutor Thomas Brown, as well as former FBI agents Christopher Tarbell, Thomas Kiernan, and Ilhwan Yum -- names that punctuated many of the biggest cybercrime stories of the last decade including Silk Road, LulzSec, Liberty Reserve, as well as the hacks of Citibank, PNC Bank, and the Rove Digital botnet; and the prosecution of Samarth Agrawal for stealing crucial code for high-frequency trading from the multinational, multibillion dollar bank Societe Generale. "Private industry provides a lot of opportunity," NYPD intelligence chief Thomas Galati told Congress earlier this year. "So I think the best people out there are working for private companies, and not for the government."
Botnet

Security Firm Discovers Secret Plan To Hack Numerous Websites and Forums (softpedia.com) 29

Posted by BeauHD from the foiled-again dept.
An anonymous reader writes: According to Softpedia, "Security researchers from SurfWatch Labs have shut down a secret plan to hack and infect hundreds or possibly thousands of forums and websites hosted on the infrastructure of Invision Power Services, makers of the IP.Board forum platform." The man behind this plan was a hacker known as AlphaLeon, maker of the Thanatos malware-as-a-service platform. AlphaLeon hacked IP.Board's customer hosting platform, and was planning to place an exploit kit that would infect the visitors to these websites with his Thanatos trojan, in order to grow his botnet. Some of the companies using IP.Board-hosted forums include Evernote, the NHL, the Warner Music Group, and Bethesda Softworks (Elder Scrolls, Fallout, Wolfenstein, Doom games).
Botnet

BAE Systems Warns About Shape-Shifting Strain of Qbot Malware (computerweekly.com) 20

Posted by msmash from the visit-from-the-past dept.
Warwick Ashford, reporting for ComputerWeekly: Qbot malware will become a potent threat, facilitated by exploit kits for initial infection and automated to gain maximum victim count, warns BAE Systems. The incident response team at BAE Systems is warning of a strain of the virulent Qbot malware that has hit thousands of public sector computers around the world. The malware -- also known as the Qakbot botnet -- first appeared in 2009 and was uploading 2GB of stolen confidential information to its FTP servers each week by April 2010 from private and public sector computers, including 1,100 on the NHS network in the UK. A modified version of the malware has resurfaced that is believed to have infected more than 54,000 PCs in thousands of organisations around the world and added them to its botnet of compromised machines, with 85% of infections in the US.
DRM

Researchers Help Shut Down Spam Botnet That Enslaved 4,000 Linux Machines (arstechnica.com) 47

Posted by msmash from the battling-spammers dept.
An anonymous reader shares an article on Ars Technica: A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Sophisticated Mumblehard spamming malware flew under the radar for five years. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service. "There was a script automatically monitoring the CBL for the IP addresses of all the spam-bots," researchers from security firm Eset wrote in a blog post published Thursday. "If one was found to be blacklisted, this script requested the delisting of the IP address. Such requests are protected with a CAPTCHA to avoid automation, but OCR (or an external service if OCR didn't work) was used to break the protection."
Security

Google Releases Project Shield To Fight Against DDoS Attacks (thestack.com) 72

Posted by timothy from the help-from-above dept.
An anonymous reader writes: Google has launched a free tool to help all media sites and and other organisations protect themselves against Distributed Denial of Service (DDoS) attacks. The Project Shield initiative allows websites to redirect traffic through Google's existing infrastructure, in order to keep their content online in the face of such attacks. Google will aim to work with smaller sites which do not necessarily have the money or are not fully equipped with strong enough infrastructure to the attacks. However, the Shield tool has also been made available to larger outlets, such as popular news sites and human rights platforms.
Open Source

Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs (softpedia.com) 188

Posted by BeauHD from the point-of-entry dept.
An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.
Botnet

Online Museum Displays Decades of Malware (thestack.com) 39

Posted by yaelk from the looking-for-malware dept.
An anonymous reader writes: archive.org has launched a Museum of Malware, which devotes itself to a historical look at DOS-based viruses of the 1980s and 1990s, and gives viewers the opportunity to run the viruses in a DOS game emulator, and to download 'neutered' versions of the code. With an estimated 50,000 DOS-based viruses in existence by the year 2000, the Malware Museum's 65 examples should be seen as representative of an annoying, but more innocent era of digital vandalism.
Botnet

ProxyBack Malware Turns Infected Computers into Internet Proxies (softpedia.com) 71

Posted by samzenpus from the resistance-is-futile dept.
An anonymous reader writes: A new malware family called ProxyBack infects PCs and transforms them into a Web proxy. ProxyBack malware works by infecting a PC, establishing a connection with a proxy server controlled by the attackers, from where it receives instructions, and later the traffic it needs to route to actual Web servers. Each machine infected with ProxyBack works as a bot inside a larger network controlled by the attackers, who send commands and update instructions via simple HTTP requests. Some of the people infected with this malware, mysteriously found their IP listed on the buyproxy.ru Web proxy service.A technical write-up of the infection steps and various malware commands is available on the Palo Alto Networks blog.
Security

Pwnd Aethra Routers Used To Brute-Force WordPress Sites (voidsec.com) 27

Posted by timothy from the malice-in-multiple dept.
An anonymous reader writes: Security researchers found around 8,000 Aethra routers (with no admin passwords) as part of a botnet that attacked WordPress sites, trying to brute-force admin accounts. Most routers were deployed in enterprise networks in Italy. Each device could have be used to launch DDoS attacks with a capability between 1 to 10 Gbps, based on the company's bandwidth. Things could be worse, though: Additional investigation also revealed that some of the routers were also susceptible to various reflected XSS and CSRF attacks that would also allow attackers to take control of the device, even if using different login credentials. Using Shodan, a search engine for locating Internet-connected devices, researchers found over 12,000 of Aethra routers around the world, 10,866 in Italy alone, and over 8,000 of these devices were of the model detected in the initial brute-force attack (Aethra Telecommunications PBX series). At that time, 70% of these Aethra routers were still using their default login credentials
Botnet

Microsoft, Law Enforcement Disrupt Dorkbot Botnet (technet.com) 31

Posted by Soulskill from the dorkbot-is-now-a-word-a-you-know dept.
An anonymous reader writes: Microsoft said in a blog post Thursday that it aided law enforcement agencies in several regions to disrupt a 4-year-old botnet called Dorkbot. The botnet aims to steal login credentials from services such as Gmail, Facebook, PayPal, Steam, eBay, Twitter and Netflix and has infected one million computers worldwide. The company didn't provide details on how Dorkbot's infrastructure was disrupted.
Bug

Zero-Day Bugs In Numerous Modems/Routers Could Compromise Millions of Users (softpedia.com) 81

Posted by samzenpus from the that's-not-good dept.
An anonymous reader writes: Researchers have discovered a large number of zero-day flaws in 8 routers/modems from 4 manufacturers (ZTE, Huawei, Gemtek, Quanta) that would allow attackers to build a huge botnet by leveraging just a few exploits. Vulnerabilities include remote code execution, firmware rewrites, XSS, and CSRF. All these allow attackers to intercept both HTTP and HTTPS Web traffic, infect computers beyond the modem, intercept SMS messages, and detect the modem's geographical location. After six months, manufacturers have failed to fix the issues.
Android

Android App Mutates Source Code, Spreads Virally and Enables Mesh Networks (thestack.com) 74

Posted by samzenpus from the it's-alive dept.
An anonymous reader writes: Researchers from the Delft University of Technology have developed a self-replicating, mutating Android app which can create on-the-fly mesh networks in the event of an infrastructural disaster, or the enabling of internet kill switches by oppressive regimes. The app's source is available at GitHub, and the app itself requires no root privileges to propagate. It can self-compile while it mutates — for example, from a game to a calculator — in transit from one Android device to another, and compatibility with iOS and Windows phones is anticipated.
Linux

Botnet Takes Over Twitch Install and Partially Installs Gentoo 101

Posted by timothy from the nerd-rage-best-kind-of-rage dept.
WarJolt writes: The plug was pulled on the attempt to crowd-source an Arch Linux install after a botnet threatened to take over the process. Twitch Installs has been rebooted by the twitchintheshell community and Twitch Installs users managed to reinstall Arch only to be thwarted by the botnet. The botnet managed to partially install Gentoo. Users are currently in the process of reinstalling Arch.
Botnet

Despite Takedown, the Dridex Botnet Is Running Again (sans.edu) 57

Posted by timothy from the down-but-sadly-not-out dept.
itwbennett writes: Brad Duncan, a security researcher with Rackspace, on Friday wrote on the Internet Storm Center blog that 'the Dridex botnet administrator was arrested on 2015-08-28, and Palo Alto Networks reported Dridex was back by 2015-10-01. That represents an outage of approximately one month.' The lesson here, writes Jeremy Kirk in an article on CSOonline is that 'while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.'
Botnet

Compromised CCTV and NAS Devices Found Participating In DDoS Attacks (incapsula.com) 64

Posted by Soulskill from the today-your-NAS,-tomorrow-your-toaster dept.
chicksdaddy writes: The parade of horribles continues on the Internet of Things, with a report from the security firm Incapsula that its researchers discovered compromised closed circuit cameras as well as home network attached storage (NAS) devices participating in denial of service attacks. The compromised machines included a CCTV at a local mall, just a couple minutes from the Incapsula headquarters.

According to the report, Incapsula discovered the infections as part of an investigation into a distributed denial of service attack on what it described as a "rarely-used asset" at a "large cloud service." The attack used a network of 900 compromised cameras to create a flood of HTTP GET requests, at a rate of around 20,000 requests per second, to try to disable the cloud-based server. The cameras were running the same operating system: embedded Linux with BusyBox, which is a collection of Unix utilities designed for resource-constrained endpoints.

The malware in question was a variant of a self-replicating program known as Lightaidra, which targets systems running BusyBox and exploits vulnerable Telnet/SSH services using so-called "brute force dictionary attacks" (aka "password guessing"). Given that many Internet connected devices simply use the default administrator credentials when deployed, calling it a "brute force" attack is probably a stretch.
Crime

FBI and Join UK Against Forces Against Spread of Dridex Banking Malware (nationalcrimeagency.gov.uk) 70

Posted by samzenpus from the working-together dept.
An anonymous reader writes: The UK's National Crime Agency (NCA) has issued a warning to UK online banking consumers to guard against the possibility of having been infected by the Dridex malware, which spreads via macros in infected Microsoft documents and is currently estimated to have cost £20mn to UK consumers. The NCA says that it is working with the FBI and several European authorities in a concerted campaign to take down the botnet behind the current crop of infections. Dridex is a derivative of the Cridex strain of banking malware, which itself stole many techniques from the GameOver Zeus malware package.
Security

Cyberattacks: Do Motives and Attribution Matter? 44

Posted by Soulskill from the yes,-except-when-they-don't dept.
An anonymous reader writes: Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better? Let's look at things from the perspective of a network administrator trying to defend an organization. If someone wants to determine who was behind an attack, maybe the first thing they'll do is use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What's not to say that whoever was responsible for the attack also compromised that server? What makes you think that site's owner will cooperate with your investigation?
Crime

Citadel Botnet Operator Gets 4.5 Years In Prison 42

Posted by Soulskill from the in-the-jailhouse-now dept.
An anonymous reader writes: The U.S. Department of Justice has announced that Dimitry Belorossov, a.k.a. Rainerfox, an operator of the "Citadel" malware, has been sentenced to 4.5 years in prison following a guilty plea. Citadel was a banking trojan capable of stealing financial information. Belorossov and others distributed it through spam emails and malvertising schemes. He operated a 7,000-strong botnet with the malware, and also collaborated to improve it. The U.S. government estimates Citadel was responsible for $500 million in losses worldwide. Belorossov will have to pay over $320,000 in restitution.
Security

Imgur Exploited To Channel Botnet Attacks At 4chan 73

Posted by samzenpus from the protect-ya-neck dept.
An anonymous reader writes: Imgur has been compromised by attackers looking for an opportunity to direct large volumes of traffic to 4chan. A Reddit thread explains that "when an Imgur image is loaded from /r/4chan [...] imgur loads a bunch of images from 8chan, which causes a DDoS to those sites." Meaning that if a user clicks an Imgur link on /r/4chan, it automatically makes around "500 requests" for one image from imageboard 4chan.org/8chan.

Slashdot Top Deals