Archive for the ‘Botnets’ Category

‘Fog of War’ Led To Operation Aurora Malware Mistake

April 1, 2010

‘Fog of War’ Led To Operation Aurora Malware Mistake: “‘Fog of War’ Led To Operation Aurora Malware Mistake”

(Via DarkReading – All Stories.)

Lethic Spamming Botnet Shut Down

January 13, 2010

Lethic Spamming Botnet Shut Down: “Lethic Spamming Botnet Shut Down”

(Via threatpost – The First Stop for Security News.)

Researchers Infiltrate Storm Botnet Successor – DarkReading

January 7, 2010

Researchers Infiltrate Storm Botnet Successor – DarkReading: ”
Researchers Infiltrate Storm Botnet Successor
Going undercover in Waledac botnet, European researchers discover it’s much bigger than they thought
Jan 05, 2010 | 06:20 PM

By Kelly Jackson Higgins
In an undercover mission to learn more about the size and scope of the son of the infamous Storm botnet, Waledac, German researchers have discovered the spamming botnet is much bigger and more efficient than previously thought.

The University of Mannheim and University of Vienna team boldly infiltrated the Waledac botnet from Aug. 6 through Sept. 1 of last year using a cloned Waledac bot they built and code-named “Walowdac.” The phony bot injected the IP addresses of the researchers’ analysis systems into the botnet, and the researchers were able to collect detailed data on the botnet and its inner workings. They found Waledac runs a minimum of 55,000 bots a day, with a total of 390,000 bots — much larger than previous estimates of 20,000 or so bots.

The researchers also were able to measure success rates of various spam campaigns launched by Waledac, and were able to observe up close Waledac’s newer features, such as the ability to steal credentials from bot-infected machines. Their clone did not do any spamming, however. “We used an implementation of the bot that speaks all of the protocols and communicates like a bot would do. We had full control over it, and it didn’t send any spam…it just participated in the communications,” says Thorsten Holz, one of the researchers.

The clone appeared to Waledac as one of its “repeaters” — the nodes that sit between the infected spamming bots and the back-end servers. Getting into the botnet at that level gave the researchers a more accurate accounting of the botnet. “We were able to get an overview of what bots are out there, how many there are, [and other details],” Holz says.

Waledac has been a popular subject for researchers to study during the past year: Researchers from Symantec, Trend Micro, and ESET, for instance, have also done intensive studies of the botnet. But the University of Mannheim researchers took a more aggressive approach in their experiment. Waledac came on the scene more than a year ago after the notorious Storm botnet, which had ballooned into one of the biggest botnets ever, suddenly disappeared off the grid in 2008. It re-emerged as Waledac, with new malware and a more sustainable architecture.

The German researchers, who also include Ben Stock, Jan Gobel, Markus Engelberth, and Felix C. Freiling, calculated from their research that Waledac could theoretically send more than 1.5 billion spam messages a day. But that’s actually a conservative estimate, they said in their report (PDF) on the experiment. “However, this also is only valid for 10,000 bots each hour with our monitoring showing up to 30,000 bots per hour during the daytime. Thus, this number might very well be tripled,” the report says.

Waledac changes up its malware variants about every two weeks, the researchers observed, and the U.S. is home to the majority of the bots and repeaters, with 17.34 percent of the spamming bots and 19.5 percent of the repeaters. And around 90 percent of the Waledac bots were 32-bit XP machines.

The researchers were also able to get counts of information-stealing activity by Waledac. In addition, Holz says Waledac steals SMTP server credentials, so it can spam using those servers, and also FTP user credentials, so it can log into FTP servers. “They are also stealing these FTP credentials to log into FTP servers and search for HTML pages to inject iFrames [into],” Holz says. “This is part of the propagation mechanism of Waledac.”

Pierre-Marc Bureau, a senior researcher with ESET who has studied Waledac and collaborated with Holz and his team, says he thinks Waledac’s operators are gearing up for more than just spamming. “Waledac has been stealing information from infected machines, such as credentials for Websites and email addresses to spam to,” Bureau says. “But it’s also stealing information from infected machines, mostly for propagating and sending spam. But when you have a user list from a Website, you can do anything you want with it…you can sell it to someone else.”

Bureau says he thinks Waledac’s operators are gathering this stolen information to set up operations other than their bread-and-butter spamming roots. “In general, Waledac is a complete operation aimed at sending spam. But I think they are already prepared to diversify their activities…there’s more money to be made in other areas,” he says.

Meanwhile, the German researchers’ undercover operation in Waledac had a few glitches, too: Waledac’s operators were able to detect the German researchers’ IP address range from the University of Mannheim and filtered them, knocking them off. “So we changed our IP range” and got back into the botnet, Holz says.

And the researchers knew they were at risk of Waledac’s operators waging a distributed denial-of-service (DDoS) attack on the University of Mannheim’s network, where the IP addresses initially resided. “The main threat to us was DDoS,” Holz says. “In the past, we had some incidents where people were DDoSing our servers since we were also running honeypots on those IP addresses.”

Hackers Conquer Two-Factor Authentication

January 5, 2010

Hackers Conquer Two-Factor Authentication: “

BY Mel Duvall, Chief Content Officer at CIOZone

Cybercriminals are increasingly gaining access to bank accounts and user credentials by beating strong two-factor authentication security, warns research firm Gartner.

Fraudsters are raiding bank accounts by using Trojans that steal passwords and credentials.

Other strong authentication factors, such as those using chip cards and biometric technology that rely on browser communications, are similarly being defeated.

‘These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009,’ said Avivah Litan, an analyst and vice president with Stamford, Conn.-based Gartner. ‘However, while bank accounts are the main immediate target, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data.’

Examples of new attacks that are emerging in the ‘wild’ include:

• Malware on the users’ computer overwrites transactions sent to an online banking Web site. This happens behind the scenes, so that the user does not see the revised transaction values. Many online banks will then communicate the transaction details back to the user’s browser for confirmation, but the malware changes the values seen by the user to reflect the values originally entered. In so doing, neither the user nor the bank realizes that the data has been altered.

• Authentication used in voice telephony applications is being circumvented by a simple technique whereby the cybercriminal asks the phone carrier to forward the legitimate user’s phone calls to the fraudster’s phone.

In respect to the telephony fraud attacks, Litan says server-based fraud detection and security policies which prevent forwarding calls have proven effective.

‘Gartner clients who have fended off such attacks have done so with either automated fraud detection or manual review of high-risk transactions,’ she added.

The FBI’s Internet Crime Complaint Center recently reported that as of October cybercriminals had attempted to steal approximately $100 million from U.S. banks using stolen passwords and credentials.

In many cases the cybercriminals have been successful in planting keystroke logging Trojan horse programs on the computers used by employees to conduct online banking on behalf of their companies.

Gartner says that cybercriminals are becoming more sophisticated in their attacks and that it may be necessary for banks and users to introduce more sophisticated security layers.

Litan noted the following technologies may prove to be effective:

• Fraud detection that monitors user access behavior. This method captures and analyzes all of the user’s Web traffic (assuming the targeted application is Web-based), including log-in, navigation and transactions. It can spot abnormal access patterns that indicate that an automated program is accessing the application, rather than a human.

• Fraud detection that monitors suspect transaction values. This technology looks at a particular transaction and compares it to a profile of what constitutes ‘normal’ behavior for a user or a group of users.

• Out-of-band user transaction verification. This system employs a type of verification other than the same primary communication channel (such as a user’s PC browser).

‘Fraudsters have definitely proven that strong two-factor authentication processes can be defeated,’ said Litan.

‘Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high-risk transaction.’

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here:

Enter your email address:

Delivered by FeedBurner

*   *   *

Mel Duvall is a Contributing Editor to CIOZone. He is a veteran journalist, having written and edited for daily newspapers, magazines and trade publications for more than 20 years. He is a former senior editor of Baseline magazine and was a senior editor for Inter@ctive Week. Mel has won several awards at the national level, including a Jesse H. Neal journalism award and American Society of Business Publication Editors awards. is the first of its kind online meeting place for CIOs. It is built upon the foundation of social networking and combines user generated content and expert editorial together around an open source platform.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

(Via Information Security Resources.)

Amazon EC2 cloud service hit by botnet, outage | Security – CNET News

December 26, 2009

Amazon EC2 cloud service hit by botnet, outage | Security – CNET News: ”

December 11, 2009 2:07 PM PST
Amazon EC2 cloud service hit by botnet, outage
by Lance Whitney
Font size

The folks who run Amazon’s EC2 cloud service must be happy the week is nearly over.

The cloud-based EC2 (Elastic Compute Cloud) was kept jumping this past week by two incidents: a compromised internal service that triggered a botnet, and a data center power failure in Virginia.
On Wednesday, security researchers for CA found that a variant of the infamous password-stealing Zeus banking Trojan had infected client computers after hackers were able to compromise a site on EC2 and use it as their own C&C (command and control) operation.
Don DeBolt, Director of Threat Research for CA Internet “

(Via .)

The botnet ecosystem

December 22, 2009

The botnet ecosystem: “With the appearance of botnets, criminal gangs have gained access to millions of infected computers and the number of cybercrimes committed has risen sharply. Although the majority of Internet users understand that zombie networks pose a serious threat, many do not know how or why botnets are created and maintained.”

(Via Latest Analysis for All Threats.)

Germany to set up centre to coordinate fight against botnets

December 13, 2009

Germany to set up centre to coordinate fight against botnets

8 December 2009

In 2010 the German government is planning to pick up the fight against infected home computers. In the first half of next year it plans to set up an advisory centre which will help users purge their computers of viruses and bots. The idea, jointly developed by the Federal Office for Information Security (BSI) and the Association of the German Internet Industry (eco), is based on the premise that internet service providers (ISPs) have long had the technical capability to identify infected computers by analyzing network traffic. The project was officially announced by BSI and eco at today’s fourth national IT summit in Stuttgart.

According to the plan, ISPs will contact customers whose PCs are infected with a bot, possibly by post or by telephone. The plan also contemplates having infected computers automatically connect to a special web page each time they connect to the internet. Before the plans are implemented, however, a decision needs to be made on what sanctions customers who decline to cooperate with their ISP can be subjected to. According to an eco project manager, quoted by the dpa, "Anyone surfing without proper anti-virus software is endangering other web users, in the same way that a car driver driving with faulty brakes is endangering other road users."

Enterprise versus Broad-spectrum Internet Botnets

November 26, 2009

Enterprise versus Broad-spectrum Internet Botnets: “Whats the difference between these massive botnets gobbling up sizable chunks of the Internet and those found inside the enterprise? Quite a bit actually.
Over the last couple of months I’ve been talking at a number of conferences and speaking with customers about the kinds of botnets we observe within enterprise networks as opposed to whats […]”

(Via The Day Before Zero.)

Gumblar has new face on ugly head | HostExploit News

November 11, 2009

Gumblar has new face on ugly head | HostExploit News: “sqlsodbc.chm,”

(Via .)

Security firm chokes sprawling spam botnet | HostExploit News

November 11, 2009

Security firm chokes sprawling spam botnet | HostExploit News: ”    WEDNESDAY NOV 11

Security firm chokes sprawling spam botnet

Tuesday, 10 November 2009 14:00

A botnet that was once responsible for an estimated third of the world’s spam has been knocked out of commission thanks to researchers from security firm FireEye. After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the leg”

(Via .)