Showing posts sorted by relevance for query botnet. Sort by date Show all posts
Showing posts sorted by relevance for query botnet. Sort by date Show all posts

Microsoft Along With FBI & EC3 Shattered The Notorious ZeroAccess Botnet

Posted by Avik Sarkar On 12/08/2013 01:14:00 am

Microsoft Along With FBI & EC3 Shattered The Notorious ZeroAccess Botnet Responsible For Infecting More Than 2 Million Computers
Redmond based software giant Microsoft yet again got a huge success against a big racket of cyber criminals while shattering one of the world's largest and most rampant botnets named 'ZeroAccess'. The Sirefef botnet, also known as ZeroAccess, is responsible for infecting more than 2 million computers, specifically targeting search results on Google, Bing and Yahoo search engines, and is estimated to cost online advertisers $2.7 million each month. Tech giant Microsoft working alongside the Federal Bureau of Investigation (FBI), Europol's European Cybercrime Centre (EC3) have successfully disrupted this notorious botnet. This is Microsoft’s first botnet action since the Nov. 14 unveiling of its new Cybercrime Center — a center of excellence for advancing the global fight against cyber crime — and marks the company’s eighth botnet operation in the past three years.

“This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits,” said Troels Oerting, head of the EC3. “EC3 added its expertise, information communications technology infrastructure and analytic capability, as well as provided the platform for high-level cooperation between cyber crime units in five European countries and Microsoft.”
Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allows cyber criminals to remotely control the botnet from tens of thousands of different computers. ZeroAccess is used to commit a slew of crimes, including search hijacking, which “hijacks” people’s search results and redirects people to sites they had not intended or requested to go to in order to steal the money generated by their ad clicks. ZeroAccess also commits click fraud, which occurs when advertisers pay for clicks that are not the result of legitimate, interested human users’ clicks, but are the result of automated Web traffic and other criminal activity. Research by the University of California, San Diego shows that as of October 2013, 1.9 million computers were infected with ZeroAccess, and Microsoft determined there were more than 800,000 ZeroAccess-infected computers active on the Internet on any given day.



How It Happened:- 
Last week, Microsoft filed a civil suit against the cyber criminals operating the ZeroAccess botnet and received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes. In addition, Microsoft took over control of 49 domains associated with the ZeroAccess botnet. A10 Networks provided Microsoft with advanced technology to support the disruptive action.
As Microsoft executed the order filed in its civil case, Europol coordinated a multijurisdictional criminal action targeting the 18 IP addresses located in Europe. Specifically, Europol worked with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures on computer servers associated with the fraudulent IP addresses located in Europe. This is the second time in six months that Microsoft and law enforcement have worked together to successfully disrupt a prevalent botnet. It demonstrates the value coordinated operations have against cyber criminal enterprises. For more information about this botnet operation click here

ZeroAccess is counted as a very sophisticated malware, blocking attempts to remove it, therefore recommended for every Microsoft user to click Here for detailed instructions on how to remove this threat. As Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or antivirus software as quickly as possible. 
In conversation with press David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit said -“Microsoft is committed to working collaboratively — with our customers, partners, academic experts and law enforcement — to combat cybercrime. And we’ll do everything we can to protect computer users from the sinister activities and criminal networks that victimize innocent people and businesses around the world.” 

While talking about ZeroAccess botnet take down, I would like to remind you that in Match, last year Microsoft has successfully shutdown two command and control (C&C) server of world's of the most dangerous banking trojan Zeus.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

TDL is Targeting Windows PC, Experts are saying that "it is almost indestructible"

Posted by Avik Sarkar On 7/05/2011 10:05:00 pm


More than four million PCs have been enrolled in a botnet security experts say is almost "indestructible". The botnet, known as TDL, targets Windows PCs and is difficult to detect and shut down. targeting
Code that hijacks a PC hides in places security software rarely looks and the botnet is controlled using custom-made encryption.
Security researchers said recent botnet shutdowns had made TDL's controllers harden it against investigation.
The 4.5 million PCs have become victims over the last three months following the appearance of the fourth version of the TDL virus. The changes introduced in TDL-4 made it the "most sophisticated threat today," wrote Kaspersky Labs security researchers Sergey Golovanov and Igor Soumenkov in a detailed analysis of the virus. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and anti-virus companies," wrote the researchers.
Recent successes by security companies and law enforcement against botnets have led to spam levels dropping to about 75% of all e-mail sent, shows analysis by Symantec.
A botnet is a network of computers that have been infected by a virus that allows a hi-tech criminal to use them remotely. Often botnet controllers steal data from victims' PCs or use the machines to send out spam or carry out other attacks.
The TDL virus spreads via booby-trapped websites and infects a machine by exploiting unpatched vulnerabilities. The virus has been found lurking on sites offering porn and pirated movies as well as those that let people store video and image files. The virus installs itself in a system file known as the master boot record. This holds the list of instructions to get a computer started and is a good place to hide because it is rarely scanned by standard anti-virus programs.
The biggest proportion of victims, 28%, are in the US but significant numbers are in India (7%) and the UK (5%). Smaller numbers, 3%, are found in France, Germany and Canada.
However, wrote the researchers, it is the way the botnet operates that makes it so hard to tackle and shut down.
The makers of TDL-4 have cooked up their own encryption system to protect communication between those controlling the botnet. This makes it hard to do any significant analysis of traffic between hijacked PCs and the botnet's controllers.
In addition, TDL-4 sends out instructions to infected machines using a public peer-to-peer network rather than centralised command systems. This foils analysis because it removes the need for command servers that regularly communicate with infected machines.
"For all intents and purposes, [TDL-4] is very tough to remove," said Joe Stewart, director of malware research at Dell SecureWorks to Computerworld. "It's definitely one of the most sophisticated botnets out there."
However, the sophistication of TDL-4 might aid in its downfall, said the Kaspersky researchers who found bugs in the complex code. This let them pry on databases logging how many infections TDL-4 had racked up and was aiding their investigation into its creators.

-News Source (BBC)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

RSA Said: Zeus v2.1.0.10 Became The Most Infamous & Propagated Trojan in Cybercrime History

Posted by Avik Sarkar On 10/01/2011 01:12:00 pm


The RSA Research Lab investigated and monitord a large number of malicious cybercrime servers operating in the wild. What RSA researchers discovered was nothing less than the robust mercenary workings of a virtual heist machine, one that has been operational on an ongoing basis, militating and robbing financial data from hundreds of thousands of infected users all over the world. The tool of choice—Zeus v2.1.0.10, the most advanced variant of Zeus to date. The end result: endless logs of compromised financial data and untold numbers of wire-fraud transactions.
According to the official blog of RSA:- 

A Privately Developed Zeus Upgrade:-
Unlike the large majority of banking Trojan, the Zeus Trojan has always been a commercial code, sold by its creator to those who could afford an advanced fraud tool and understood how to use it. With time, Zeus became the most infamous and most propagated Trojan in cybercrime history. In October 2010, nearly one year ago, the bequeathing of the Zeus Trojan’s source code by its owner “Slavik”, to his then biggest rival, the SpyEye Trojan’s coder (“Harderman”), united the future of 2 giant commercial codes and threw a Zeus-faced wildcard into the game when its entire source code was leaked in March 2011.
But it was nearly two months before the announcement of the code ‘merger’ was even made that RSA researchers were already looking at a rather special upgrade of the Zeus Trojan: Zeus v2.1. A surprising and rare new version which included some of the most sophisticated additions to the Zeus code seen in recent times, making it more impervious and hardened thus shutting-out a lot of potential interference with this variant’s configuration and its communication patterns. At the time (early September 2010), our team was in the possession of a single variant of this upgrade and was not entirely sure what it represented as yet. The interesting part of the upgrade was its low propagation numbers and the time lapse it took for the Lab to see more of it in the wild. True Zeus 2.1.0.10 variants were not being sold in underground forums. These two initial observations already suggested that the new upgrade was the property of one cybercriminal or a single cybercrime gang.
Within six months, Zeus 2.1.0.10 was being detected more and more often, and although the number of variants kept growing, the trigger list in each and every one of them was identical – a rare case for Zeus variants in which each operator updates his own list of triggers. This was the third sign pointing to a single operations team for Zeus 2.1.0.10.
June 2011 – a sharp peak in Zeus 2.1.0.10 attacks resulted from the propagation of hundreds of variants of this upgraded version. To date, the RSA Research Lab detected 414 different variants, and yet, each and every variant still went after the exact same trigger list. At this point it was clear that Zeus 2.1.0.10 belongs to one gang who had the Zeus source code way before the merger, way prior to the code leak and before anyone even imagined what would become of Zeus.
This gang developed their own Zeus Trojan using Zeus’ source codes and its mainframe; this gang operates Zeus 2.1.0.10 without sharing their malevolent creation with outsiders.

Zeus 2.1.0.10 Has its Own Techniques:-
More than the actual upgrade of the Trojan code, the new Zeus 2.1.0.10 behaved in a new way, unlike the one observed in other Zeus variants. Unlike other advance Trojans who contact the mothership through reverse proxies, fast flux networks, or those who use their own botnet as proxies – Zeus 2.1.0.10 never communicates directly with the mothership. This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 2.1.0.10’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names (URLs) per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.
The cybercriminal operation team behind the scenes has the same algorithm. They know exactly when the whole botnet will attempt to communicate with a specific new domain name, and then simply go and buy that domain name, hosting each one through facilities located all over the world. At that point, the whole botnet queries the new domain with a request for the update file – and receives it, and the C&C queries its bots for the stolen data they have in store – and receives it.  Mission accomplished.
This all happens without anyone outside the gang knowing their algorithm or being able to guess which communication channel they will choose for their botnet next. Even if an external party was to attempt to solve the algorithm, they would have to buy the domains before the gang does, thus engaging in a race against time and paying for numerous domain registrations every hour (!). No matter how many domains an adversary buys, the bot masters will eventually buy one and the botnet will end up communicating with it.
The communication through randomized domains generated by the Trojan is directed through a list of legitimate VPS and legitimate cloud services used as a proxy. This raptures any further tracking possibilities of the true motherships which militate the immense botnet.
Zeus 2.1.0.10’s behavior pattern has never been used in Zeus or SpyEye variants, but it sure is identical to another Trojan’s sophisticated and diuturnal operations – Sinowal. A long standing, privately owned Trojan, operated by an organized cybercrime gang based out of Russia, Sinowal is perhaps one of the most persevering private banking Trojans; one whose nefarious nature has been the intrigue of many security researchers since as early as 2006.
It was initially somewhat surprising to see that Zeus 2.1.0.10 was not only a private version of Zeus, it also behaves exactly in the same manner as Sinowal similarly held by Russian-speaking cybercriminals. These common denominators raised a logical suspicion as to the possibility of the two sharing some links if not operated by the same gang altogether.

For more information and to see the RSA blog article about Zeus click Here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft is Offering Reward to Fight Against Cyber Crime & SPAM

Posted by Avik Sarkar On 7/20/2011 03:51:00 am


Microsoft puts on the Superhero outfit this week and battles Cyber Crime and SPAM by offering a $250,000 reward for information about the Rustock Botnet.
What is the Rustock Botnet? A "botnet" is a system made up of computers that are used for malicious purposes, such as hacking, spreading SPAM, and so on. The Russian-based Rustock Botnet is responsible for a lot of those messages you get trying to sell you Viagra or suspicious-sounding drugs, pirated copies of software, fake designer goods and other SPAM. According to ZDNet, it can send out 30 billion SPAM emails every day.
Last month, Microsoft posted notices in two Russian newspapers to let Rustock know they were out to get them by starting a civil lawsuit. Now, they've stepped things up by offering the $250,000 reward to anyone who can give information leading to the identification and arrest of the operators behind the Rustock Botnet.

Microsoft has already helped cut the Rostock operation by over half. The company deserves praise for taking this stand and targeting this evil company on behalf of computer users worldwide.
At its Official Blog, Microsoft gives a lot of technical information about the Rustock Botnet and their efforts to take it down. Users can help, too, by making sure their computers are not vulnerable. Keep your software up to date, install anti-virus software, and use firewalls, even though they are annoying. They will help protect you and stop these ruthless botnets like Rustock.

And, hey, if you happen to have some information about who's behind Rustock, maybe you can grab $250,000.

-News Source (TG)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

C&C Servers of World's Third Largest Spam Botnet "Grum" Been Knocked Down

Posted by Avik Sarkar On 7/21/2012 02:58:00 am


C&C Servers of World's Third Largest Spam Botnet "Grum" Been Knocked Down



Researcher get another big success by taking down two of the command and control(C&C) servers belong to  the world's largest spam botnet named "Grum". Though  this is not complete victory, as there are still two other C&C servers are currently working actively, but researchers are very much optimistic that the volume of spam will drop this take down. 
Atif Mushtaq, senior staff scientist at security firm FireEye, said in a blog post that the botnet known as Grum drew its last dying breath on Wednesday, after six servers in Ukraine and one in Russia were shut down. In a tense faceoff with whitehats, the botnet operators had deployed those servers following the disconnection earlier this week of separate servers in the Netherlands and Panama. Faced with the threat of losing a 100,000-computer network that generated an estimated 18 billion spam messages a day, the Grum operators were desperately trying to transition to those machines when they stopped working.

"Grum's takedown resulted from the efforts of many individuals," Mushtaq wrote. "This collaboration is sending a strong message to all the spammers: 'Stop sending us spam. We don't need your cheap Viagra or fake Rolex. Do something else, work in a Subway or McDonalds, or sell hotdogs, but don't send us spam." We would also like to give you reminder that, this year Microsoft closed two C&C server of Zeus, another dangerous botnet. Also researcher from different parts of the world have unveiled the mystery of few other botnets like Bredolab, Rustock, Duqu and so on. 





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Russian Botnet Operator Busted For Infecting 6 Millions of Computers & Stealing £2.9 Million

Posted by Avik Sarkar On 6/25/2012 10:26:00 pm

Russian Botnet Operator Busted For Infecting 6 Millions of Computers & Stealing £2.9 Million

Russian Police authorities have arrested  a 22 year hacker from Southern Russia known as "Hermes" and "Arashi" in online communities. According to the reports the suspect was running a botnet which comprised more than 4.5 million computers while making it the largest publicly known botnet to date. It has been also found that the hacker used banking trojans to steal more than 150 million roubles, almost £2.9 million, from private individuals and organisations.  According to the statement of Russian Interior Ministry the trojan is believed to have infected more than six million computers. On some days, more than 100,000 new computers were recruited.  The authorities also confirmed that the arrest of "Hermes" and other members of his hacker group was carried out with the assistance of anti-virus company Dr. Web. Most of the accomplices lived in Moscow and St. Petersburg. We also like to give you reminder that couple of months ago another Russian hacker who was the creator of the Bredolab botnet received a four-year imprisonment by Armenian court.









SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Android Botnet!!!

Posted by Avik Sarkar On 5/31/2011 04:03:00 pm




With the advancements made by different security vendors it is seemingly becoming difficult for botnet masters to remain undetected. Reports suggest that operating systems such as the Windows 7 have become 7 times secure than older versions such as Windows XP. Hence the obvious move of a botnet was to another increasingly insecure platform – cellphones. Bots such as Zeus have already recently shown what they can do on BlackBerries. The Symbian operating system is losing its sheen. So, the next target is the Android phone.
To avoid detection, this proof-of-concept code utilizes the Short Messaging Service (SMS) as a command & control channel. This adds fault tolerance because, if a smartphone is not available on the GSM network due to being powered off or out of service range, when an SMS message arrives for delivery, the message is queued and delivered by the network! If only this feature existed in Zeus eh?
  •  Compile with arm-gcc with the -static flag set
  • Copy to anywhere on the underlying OS that is writable (/data/ is good).
  • Rename /dev/smd0/ to /dev/smd0real/
  • Start the bot application
  • Kill the radio application (ps | grep rild)
  • The radio will automatically respawn and now the bot proxy will be working
More interesting stuff such as the botnet structure, possible infection methods are presented by the author in here slides that can be found here.
Download the Android Botnet PoC (botPoCrelease-android.c) here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Pastebin Under Massive Cyber Attack, 20K IP Address Blocked To Prevent DDoS Attack

Posted by Avik Sarkar On 2/22/2012 11:57:00 pm

Pastebin Under Massive Cyber Attack , More Than 20K IP Address Blocked To Prevent DDoS Attack

Pastebin - most widely used & world's number one paste tool yet again faced massive cyber attack. According to pastebin official twitter profile the 1st attack came on the 18th February where the attacker was using a botnet to send millions of requests to pastebin servers in an attempt to flood the network, inshort the attacker was trying to engage a DDoS attack. In response the pastebin team immediately took action while blocking more than 4000 IP address, but it was later found that those counter measure seems useless in-front of the attack so again more than 9000 IP address get blocked. According to the last twitter update pastebin confirmed that they are still adding more IP to the block list and now the number of block listed IP became more than 20000. This attack came on the day when Pastebin’s developers revealed the fact that the 3.1 version has gone online. 
In the press release Pastebin team said:- 
"For the last 16 hours Pastebin.com has been under attack by a botnet. Someone is using this botnet to send millions of requests to our servers in an attempt to flood the network to the point where it becomes inaccessible. A botnet is a collection of compromised computers connected to the Internet (each compromised computer is known as a 'bot').
So far we have been able to block about 20,000 IP's, but this number is growing by the minute. These IP's are most likely from innocent people who have no clue that their computer is being used for this purpose. It is highly recommended that you always have up-to-date antivirus software installed, and a good Firewall active.
Later today we will publish the list of IP's from today's 'botnet attack' on another server so you are able to check if your own computer has been compromised.
If your IP is in this list, you will not be able to access Pastebin at this time. With the current IPv4 system there are a total number of 4,294,967,296 IP's. The chance that your IP is blocked is rather small.
We sincerely apologize for the times that we were unable to block the attacks, and we will continue to fight these attacks as well as we can to make sure Pastebin is available 24/7."



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Anonymous Tricked Their Supporter Into Installing Zeus Trojan - Said Symantec

Posted by Avik Sarkar On 3/04/2012 07:56:00 pm

Anonymous Tricked Their Supporter Into Installing Zeus Trojan - Said Symantec

Remember the Operation Megaupload (#OpMegaupload) the largest attack ever where 5,635 Anon people bring down the websites of Universal Music, the U.S. Department of Justice and the Recording Industry Association of America while using one of the world's most popular and vastly used DDoSer LOIC.
Now Security software company Symantec have discovered that a piece of Anonymous-recommended DDoS software called Slowloris contained an insidious Trojan that was stealing financial info from people using it. According to the official blog post of Symantec on the 20th day of January after Kim Dotcom was arrested, Anonymous was frequently shearing few pastebin links which was containing the download link of Slowloris which led to a trojanized copy that installed the Zeus trojan on users' systems. The compromised download then replaced itself with a clean version of the tool to avoid detection. 

"It is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies."
"When the Trojanized Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed. After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool. Zeus is an advanced malware program that cannot be easily removed. The Zeus client is being actively used to record and send financial banking credentials and webmail credentials to the botnet operator. Additionally, the botnet is being used to force participation in DoS attacks against Web pages known to be targets of Anonymous hacktivism campaigns."

Full information can be found Here



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers

Posted by Avik Sarkar On 4/22/2012 02:21:00 pm

Flashback Botnet Originated From Hacked & Malware-rigged WordPress Sites -Said Researchers

Massive Flashback botnet that hit more than 60K Mac PC world wide originated from hacked and malware-rigged WordPress blog sites. Researchers figure out there were between 30,000 and 100,000 WordPress sites infected in late February and early March, 85% of which are in the United States.
Kaspersky Lab researchers say the infected WordPress blog sites were rigged with code that silently redirected visitors to a malicious server. "When the connection was made to the malicious server, that server would determine which OS was running and serve exploits accordingly," says Roel Schouwenberg, senior researcher for Kaspersky. It was a pay-per-install scheme to spread malware, including the Flashback Trojan.
Most researchers say a gradual decline in machines infected by the Trojan is still underway: As of Thursday, there were about 140,000 infected Macs still out there, according to Symantec, and Kaspersky says it sees only about 30,629 Flashback-infected bots in its sinkhole. Still on the horizon, too, is the possibility of a Flashback comeback, with the command-and-control servers sending their bots updates. "We are watching the command-and-control domains used to control this botnet for any updates ... We haven't seen any new updates being delivered," said Liam O Murchu, manager of operations for Symantec Security Response. "Flashback generates new domains every day, which shows us the attackers have probably written malicious code before. They are aware that their botnet could be taken down with a single domain, so they generate a new one every day." To see the full story click here


Earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten" targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal informations.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Handover The Rustock Botnet Case to FBI

Posted by Avik Sarkar On 9/23/2011 01:25:00 am


Microsoft lawyers have sealed their victory over the operators of what was once the world's biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet. The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.
Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.
According to court documents, the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.
“This suggests that 'Cosma2k' is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated. In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.
The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware. Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft's determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located.

-News Source (Microsoft, Register & CNET)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BoNeSi- A New DDoS Botnet Simulator Tool Available For Download

Posted by Avik Sarkar On 7/08/2012 01:12:00 pm

BoNeSi- A New DDoS Botnet Simulator Tool Available For Download 

After Armageddon now we got BoNeSi, the DDoS Botnet Simulator is a Tool to simulate Botnet Traffic in a testbed environment on the wire. It is designed to study the effect of DDoS attacks. BoNeSi generates ICMP, UDP and TCP (HTTP) flooding attacks from a defined botnet size (different IP addresses). BoNeSi is highly configurable and rates, data volume, source IP addresses, URLs and other parameters can be configured. There are plenty of other tools out there to spoof IP addresses with UDP and ICMP, but for TCP spoofing, there is no solution. BoNeSi is the first tool to simulate HTTP-GET floods from large-scale bot networks. BoNeSi also tries to avoid to generate packets with easy identifiable patterns (which can be filtered out easily).
It is highly recommend to run BoNeSi in a closed testbed environment. However, UDP and ICMP attacks could be run in the internet as well, but you should be carefull. HTTP-Flooding attacks can not be simulated in the internet, because answers from the webserver must be routed back to the host running BoNeSi. A demo video of BoNeSi in action can be found here.

To Download BoNeSi Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Bredolab Botnet Author -Georgiy Avanesov Received 4 Years Imprisonment

Posted by Avik Sarkar On 5/27/2012 10:14:00 pm

Bredolab Botnet Author -Georgiy Avanesov Received 4 Years Imprisonment


Georgiy Avanesov, a 27-year-old Russian man, the creator of the Bredolab botnet received a four-year imprisonment by Armenian court. In October 2010, Dutch investigators were able to take control of the Bredolab botnet's 143 command & control servers and take them offline. The Dutch law enforcement authorities worked with security specialist Fox IT to track down Avanesov, which eventually led to his arrest at an airport in the Armenian capital of Yerevan. At the time it was running, the Bredolab trojan was estimated to have infected more than 30 million Windows PCs around the world and was capable of infecting three million new PCs a month through infected emails. 
Avanesov was found guilty of computer sabotage, started operating the botnet in 2009 and used it for distributed denial-of-service (DDoS) attacks and for sending over 3.6 billion spam email messages per day. The BBC estimates that Avanesov earned approximately €100,000 (£80,000) per month with Bredolab, also known as Oficla.













SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

19 Million+ UK Households Being Used As Cyber Weapon (Botnets)

Posted by Avik Sarkar On 12/10/2011 05:51:00 pm


You are also a cyber criminal. Don't get panic, we are sorry to say this for that is truth. An exclusive report is saying that more than a million households of UK is either used or misused as cyber weapons meainly Botnets.
Dutch researchers investigating ways to curtail the hijacking of domestic computers for criminal use, found that more than one million UK households’ PCs are linked to criminal networks known as ‘botnets’, which are groups of Internet-connected computers that have been compromised by a third party and put to malicious use. With around 6% of the UK’s 19m Internet households thought to be part of a botnet, this helps criminals spread spam around the Web more effectively, whilst it can also be used to attack websites and even garner bank details from the unsuspecting public.
The data was gathered from a number of different sources, though most emanated from what is known as ‘spam traps’, which are fake email addresses set up for the sole purpose of receiving junk mail. It’s thought that more than 90% of spam is sent through botnets, and it’s the Internet addresses on these botnets which are a good indicator of where the so-called ‘drone’ machines are located. The researchers then used the IP addresses of the machines that were sending the spam, and traced each one to an Internet Service Provider (ISP). And feeding into this was data about the Conficker botnet, which is thought to be one of the biggest examples of such a network, and incident reports from a computer security company called DShield. The UK figure is placed at number 19 in the top 20 nations with the biggest botnet problem, but it’s roughly in-line with the global average which sits at around 5-10% of domestic computers that are thought to be linked to botnets. Greece and Israel were way out on top, though, with around a fifth of all broadband subscribers thought to be unwittingly recruited into botnets. 
It goes without saying that the biggest ISPs have the biggest botnet problem. It has been figured out that the level of spam on BT’s network peaked at the end of July 2010, at which point more than 30m junk email messages were being sent each week.  

Here is a Statistic:- 


The good news, however, is that these figures have fallen sharply since then with a number of anti-cyber crime groups helping to bring down some of the biggest botnets. One takedown earlier this year saw spam fall massively overnight, when just an entire network, called Rustock, stopped sending junk.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Seized Two Command & Control Server of Zeus Botnet

Posted by Avik Sarkar On 3/28/2012 12:42:00 am

Microsoft Seized Two Command & Control Server of Zeus Botnet 
Cyber crime investigator at Microsoft have shutdown two botnet server powered by "Zeus". It has been reported that Microsoft’s Digital Crimes Unit coordinated with several financial services organizations and the United States seized the two command-and-control servers of Zeus on Friday, March 23. After shutting down the servers, It has been found that more than $100 million have already been stolen and also an estimated 13 million computers ware infected and connected with those two CNC server of Zeus. The raid came after Microsoft filed a civil lawsuit, partly under the Racketeer Influenced and Corrupt Organizations Act. The company has combined legal tactics with cyberforensics three other times since 2010 to shut down command-and-control servers used to direct large botnets. Last week Microsoft officially declared that they are working closely with US authorities and financial services companies to disrupt two Zeus botnets. So there is no doubt that this is indeed a huge success for Microsoft. 
Brief Overview of Zeus Trojan:- 
The Zeus banking Trojan intercepted user credentials for online banking accounts with a keylogger and transferred money out of victims’ bank accounts. The malware was sophisticated enough to display a fake page showing the normal account balance instead of the actual amount, which meant victims weren’t aware of the thefts immediately. Zeus crimeware kits are available on underground forums for anywhere between $700 and $15,000. There’s even an “open source” version of the toolkit which is available for free.

"Cybercriminals have built hundreds of botnets using variants of Zeus malware," Richard Boscovich, a senior attorney with Microsoft’s Digital Crimes Unit, wrote on the Official Microsoft Blog.
Last week we have also discussed about another dangerous botnet or in other word the next generation cyber weapon named Duqu. After a decent period finally the researchers have solved the Duqu Mystery

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hackers Exploiting Old Ruby on Rails Vulnerability To Compromise Web Servers & Create Botnet

Posted by Avik Sarkar On 6/03/2013 09:06:00 pm

Hackers Exploiting Old Ruby on Rails Vulnerability (CVE-2013-0156) To Compromise Web Servers & Create IRC Botnet
A critical vulnerability on Ruby on Rails spotted in January this year which was deemed “critical” at the same time yet again found in the wild. The vulnerability known as CVE-2013-0156 that affected versions 3.0.20 and 2.3.16 again rises it's hand. Though a security patch was released by the Rails developers. But as we all know that many server administrator used to be unaware of these events have not patched their systems. As a result hackers and cyber criminals are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a dangerous botnet. This major security issue was first discovered by a security consultant Mr. Jeff Jarmoc of research firm Matasano Security. In his blog Jarmoc said "It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails. It also appears to be affecting some web hosts." According to his blog post -the exploit that's currently being used by attackers adds a custom cron job -- a scheduled task on Linux machines that executes a sequence of commands. Those commands download a malicious C source file from a remote server, compile it locally and execute it. The resulting malware is a bot that connects to an IRC (Internet Relay Chat) server and joins a predefined channel where it waits for commands from the attackers. A pre-compiled version of the malware is also downloaded in case the compilation procedure fails on the compromised systems.
"Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers," Jarmoc said. "There's no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands." But the matter of relief is that Jarmoc concluded while saying "this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months."

But still administrators who have not yet patched their Rails version should immediately should update the Ruby on Rails installations on their servers to at least versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15 which contain the patch for this vulnerability. However, the best course of action is probably to update to the latest available Rails versions, depending on the branch used, since other critical vulnerabilities have been addressed since then. 

Brief About RoR:- Ruby on Rails is a popular framework for developing Web applications based on the Ruby programming language and is used by major websites including Hulu, GroupOn, GitHub and Scribd.







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Judge Nicholas Loraine-Smith : Ryan 'LulzSec Hacker' is Banned From seeing His Girlfriend Alone

Posted by Avik Sarkar On 9/02/2011 02:20:00 pm

On the face of it, teenager Ryan Cleary appears the archetypal computer geek who retreated from the real world into a digital one. When he was charged with hacking into the website of the Serious Organized Crime Agency, observers branded him a recluse who needed to 'get a girlfriend'. But he was already dating Amy Chapman, 19, - and now a judge has refused his request to see her alone. The Aspergers sufferer is said to be a key member of the computer hacking network LulzSec, which has been blamed for attacks on the Serious Organised Crime Agency, the CIA, Sony and News International. He is alleged to have controlled a 'botnet' of up to half a million compromised computers which he used to launch 'denial of service' attacks against websites. He was charged in June and bail conditions imposed in court stipulate that he can only leave his home address with a parent.
Addressing London's Southwark Crown Court, his defence barrister Ben Cooper asked for this to be changed so Cleary could see Miss Chapman without his parents being present.

Refusing the application, Judge Nicholas Loraine-Smith said: 'I will not consider making a variation until the police have interviewed her and that they are satisfied that she is responsible enough to take on the duty.’ Cleary and fellow alleged LulzSec member Jake Davis, 18, were not required to attend the hearing. Davis is said to have operated from his bedroom in the Shetland Islands and used the online name Topiary.
The judge issued a stark warning to both defendants to comply with their bail conditions as he fixed their plea and case management hearing for January 27, 2012. 'First of all bail has to be on the same stringent terms for both of these defendants and I reiterate, as I did to one of them who has appeared before me, that if they breach any of these conditions they can be arrested and brought before the court and almost certainly remanded in custody,' he said.
Cleary, of South Beech Avenue, Wickford, Essex, is charged with five offences under the Computer Misuse and Criminal Law Acts.
He is alleged to have taken part in a denial of service attack - which cripple websites by overwhelming them with requests for data – that briefly brought down SOCA's site.
Cleary is also accused of involvement in two similar attacks on the websites of both the International Federation of the Phonographic Industry and its British counterpart on November 28 and October 29 respectively. A further charge alleges that he 'made, adapted, supplied or offered to supply' access to a 'botnet' - a network of computers, hijacked without their owners' knowledge - for use in the attacks.
Each of the three charges relating to DoS attacks carry a maximum jail sentence of 10 years, while the botnet charge could result in up to two years imprisonment. Davis, of Hoofields, Lerwick, Shetland, is alleged to have played a leading role in LulzSec, a group that was said to have been disbanded after being linked to attacks on a number of high-profile sites.
He is charged with gaining unauthorized access to a computer system, encouraging or assisting offences and two counts of conspiracy to commit offences.
He also faces a charge of conspiring to carry out a distributed denial of service attack - where a website is flooded with traffic to make it crash - on the Serious and Organised Crime Agency website.

-News Source (Mail Online)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Sony Hackers LulzSec Strike FBI Affiliate InfraGard

Posted by Avik Sarkar On 6/05/2011 03:47:00 pm


LulzSec, the hacking group that has been identified as being behind the latest attack on Sony, has struck again—this time targeting a private-sector FBI affiliate called InfraGard.
InfraGard is a non-profit organization that connects the business community with law enforcement. It has about 42,000 members, including FBI agents, according to its website, and has an FBI special agent coordinator at each the bureau's field offices who recruits interested civilians nearby to form local InfraGard chapters. The InfraGard hack was part of a LulzSec action it called "Fuck FBI Friday" and culminated in the anonymous hacking group's publication of InfraGard e-mails, passwords and personal contact information for about 180 members on Friday. One LulzSec tweet late Friday promised "700MB in emails" via a link to a torrent file. LulzSec also defaced the InfraGard Atlanta website with a YouTube video challenging its target to "LET IT FLOW YOU STUPID FBI BATTLESHIPS," according to reports.
The hack of InfraGard that netted all the data published Friday seems to have occurred about a week or more ago. One InfraGard member told CNET Friday that he was contacted by a hacker group via email on May 26.
Karim Hijazi, CEO of botnet-tracking company Unveillance, said the hackers threatened to publish information about him found on InfraGard if he didn't give them sensitive security information about botnets. Botnets are networks of personal computers used by hackers and spammers who have slaved those PCs to the botnet either from volunteers, as is the case with the Anonymous hacking group's botnet, or from unsuspected PC users through a computer virus. Hijazi said that about a week before the first email came from "unveillance.owned@husmail.com," his company had detected attempts to crack the Unveillance corporate network with iPredator, a VPN tunneling tool. He also told CNET that he believed an unknown person had listened in on a company conference call. In a later IRC chat with his tormenters, the LulzSec hackers threatened to post a recording of a company call they said they had listened in on. "They had me under the gun for a little over a week with threats and extortion," Hijazi told CNET. "The very nature of having to contend with someone who is holding something ransom is not pleasant."


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Armageddon (DDoS Botnet) Started Integrating Apache Killer Exploit

Posted by Avik Sarkar On 3/09/2012 05:50:00 pm

Armageddon (DDoS Botnet) Started Integrating Apache Killer Exploit

The latest version of Denial of Service Bot (DDoS) named Armageddon integrates a relatively new exploit known as Apache Killer. Armageddon is a Russian malware family exclusively designed to launch DDoS attacks. Because it is sold as a toolkit on underground forums, there is more than one Armageddon-powered botnets on the Internet. Aside from the Apache Killer exploit, the latest Armageddon version also incorporates other application-layer DDoS techniques that target popular Internet forum platforms like vBulletin or phpBB, however these are not particularly ground-breaking.
The Apache Killer exploit was released in August 2011. It exploits a vulnerability in the Apache Web server by sending a specially crafted "Range" HTTP header to trigger a denial-of-service condition. The attack is particularly dangerous because it can be successfully executed from a single computer and the entire targeted machine needs to be rebooted in order to recover from it. The vulnerability exploited by Apache Killer is identified as CVE-2011-3192 and was patched in Apache HTTPD 2.2.20, a week after the exploit was publicly released. Apache 2.2.21 contains an improved fix.
Recommendation:-
System administrators should upgrade their Apache servers to the latest available version or should implement known work arounds. "There is an update to the Apache mod_security module that attempts to address this type of attack by filtering requests with 'Range' headers that are too large.

-Source (PC World)




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Popular Gaming Site of France Infecting Visitors With ZeuS

Posted by Avik Sarkar On 4/17/2012 12:29:00 pm

Popular Gaming Site of France Infecting Visitors With ZeuS 

Researcher from Anti-virus company and security firm Avast, has find out that a French website of popular game Assassin’s Creed has been serving ZeuS malware variants to its visitors for over 8 weeks. The site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise. 
The web site is currently returning a Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /homepages/23/d207590046/htdocs/wp-content/plugins/countdown-timer/fergcorp_countdownTimer.php on line 1050 error message. 
According to Avast official blog post - So far, Avast has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March. The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. The infection at Assassinscreedfrance.fr is located in the countdown timer in the JavaScript module, a common WordPress plugin. Other sites had infections hitting a wide range of WordPress vulnerabilities. “The bad guys are using an automatic tool that is looking for some holes,” said Jan Sirmer, analyst from the AVAST Virus Lab. “Assassinscreedfrance.fr may have become vulnerable by using an outdated version of WordPress, even though their JavaScript plugin is up-to-date. For the rest of these sites, we can safely say that older programs and plugins are common ways to get infected.” 

-Source (Avast Blog)




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search