Posts Tagged Botnet
Zeus Trojan infected 2.5 thousands Corperate machine around the Globe
Posted by Mourad Ben Lakhoua in News on February 18, 2010
Over the past 1,5 year more than 75 thousands machine worldwide have been infected by Zeus Trojan this is according to NetWitnes Company, all these infected computers were used to thief Banking account, Social Networking and email passwords.
Among the victims we can find some of the major companies like Merck, Cardinal Health, Paramount Pictures and Juniper Networks. NetWitness informed that Cybercriminals might be from an Eastern European group countries and performed their activities over a server located in Germany, by spreading emails containing malicious software or redirecting victims to a malicious website.
The observed hacking activities do not stop here but researchers noted that on 26 January they found a 76 Gigabytes of data stolen by this Trojan, this data contains information about 68 thousand corporate logins as well as online Banking credential, Facebook , Yahoo and Hotmail.
Attackers According to NetWitness are still actively exploiting all vulnerabilities to spread their dangerous Malware in the globe and controlling remotely all these machines by using different ways like p2p-bots Waldec botnet.
ZeuS consists of two main parts:
1. Command control (panel) – a set of scripts, including the admin area that can be installed on the server.
2. Bot – Win32 victim side (Trojan).
The Main features of Zeus are:
1- Invisible in windows process list
2- Bypass most firewalls.
3- Works on the windows restricted accounts.
4- The main Bot are encrypted
5- Disable Windows Firewall, which provides access to incoming messages/ commands.
6- All settings including configuration ,logs and commands passes over encrypted HTTP form (HTTPS).
7- Separate configuration file are available that allows hackers to find them when they lose access to the Main server.
8- Configuration Backup file are available in case of losing the config.
9- The ability to work with any kind of Browser because the program is running through wininet.dll (Internet Explorer, Mozilla Firefox, AOL…)
10- Interception of all machine activities by including a keylogger.
11- Simple transparent URL-redirection to fake web sites (GET / POST-requests, etc.)
12- Get all SSL/TLS Certificate imported by the victim and send them to the server
13- POP3 and Ftp protocol grabber.
14- Search all Hard disk files and download a specific file as desired by the attacker.
15- Getting screenshot in real time.
As you can see it is very easy to gain access to any person sensitive information so it is important to keep your AV/System definitions up to date to ensure you have the best protection against new threats.
make sure you subscribe to my RSS feed!
New Worm Attacking Skype users
Posted by Mourad Ben Lakhoua in News on November 28, 2009
Security experts at Trend micro warned of a new attack targeting Skype users, this attack are a Botnet similar to Koobface that made a big panic on Facebook.
According to the report the Botnet steals the users contact list, phone numbers, location,and other information on skype and it spread the malicious code over these contact contains URL links on the Instant message point to an infected website containing Trojan.
Here what is mentioned about the Botnet:
Though TROJ_VILSEL.EA’s behavior is largely similar to previous Koobface variants (the target application excluded), it is actually not a member of the infamous malware family. Both the malicious code and network behavior differ from previously known Koobface variants. It would not be a great surprise, however, if the actual Koobface cybercriminals produce their own variant with this behavior.
This development only highlights the ingenuity of cybercriminals in going after targets using tried-and-tested ways to spread their malicious creations. Trend Micro Smart Protection Network protects users from this attack by blocking access to the malicious URL, thereby preventing users’ systems from getting infected.
Now the most important is to make sure that you check the pc you use skype and other voip application from for rootkits and Trojans.
make sure you subscribe to my RSS feed!
Donbot Leads a Way To Twitter Spam
Posted by Mourad Ben Lakhoua in News, Social Networking, Web Security on November 21, 2009
One more time major botnets are using social networking websites to spread spam.
Symantec’s MessageLabs warned lately that DonBot are started a new massive spamming message, the Lab detected from 18 November 4% of global Spam traffic.
The spam message includes an offer to work from home with a 100-200 dollars daily salary and to be considered for this opportunity the victim should send an initial payment and wait for the golden ticket.
The message also includes an image with link to redirect victim to twitter page and gives hackers a way to hijack Twitter accounts and spam other users.
This shows that more http links in instant messaging conversations are making a way to “instant malware.”
If you are receiving a message on Twitter try to not click directly on the short link and to check the original URL. By checking on LongURL.org which can helps in expanding the URL and avoid phishing, malware, and viruses by examining short URLs before visiting them and Find out where links really take you.
You can also use on Mozilla firefox Tamper Data plugin that helps to test web application security and track request and responses from the URL Link.
make sure you subscribe to my RSS feed!
iPhone Next up for Hackers
Posted by Mourad Ben Lakhoua in News, Vulnerabilities on November 8, 2009
Botnets is becoming the biggest threat and arrived to all system in the globe even mobile devices, I don’t think that there is a person have not been a victim to Botnet, there is many people thinks that the operator is responsible of spamming their customers but this is not true.
Security professionals are always expecting the damage before it happens and try to solve the serious issue; today hackers have changed their landscape to get more benefit from there Cybercrimes.
The first important point to note that modern phones have wireless adapters. This can make them always online and vulnerable to such attack. Here I wanted to list some technical specification to demonstrate the benefits from implementing mobile-phone zombies comparing to classical infected machines:
1. Fast IP-address changing.
2. Low connection speed.
3. Ability to receive commands from the GSM network without the Internet (SMS..).
4. No Antivirus and Antispyware on the device.
5. No traffic control by the owner.
6. Storing personal data in the phone (credit card numbers, PINs, accounts, addresses, and so on.).
7. Calls and sending SMS.
8. Locator on the map GSM or GPS (if your phone has a controller).
9. Recorder (as a listening device).
As you can see here are 9 features that can serve Hackers perfectly to do their job. And by the way the list can be extended.
Now what is the tactic that hackers perform to implement botnets?
Usually they start by scanning the network searching for vulnerable hosts. The computers are identified by IP address but for the iphone it is identified by the IMEI a unique code issued by the manufacture. This code is also used to identify a stolen phone so if you lost your phone the Cellular operator can find it on the network using this ID. However the same IMEI are used for identifying the phone for the Zombies network.
After identifying the phone a Trojan should be executed by an infected website or any other way and this Trojan acts as a back door and opens a port on the local phone for connections. To get the instruction from a remote host and here the phone will act as the attacker desire sending spam for advertisement changing the wallpaper or Listening to the conversations. While there is no AV and no traffic control as a firewall… this phone will remain part of botnet.
Here is the First iPhone worm discovered and reported today by sophos.
The good news here is that this Bot network is not very big but we should be very careful about the iPhone sources and what we install on it (games, applications…).
make sure you subscribe to my RSS feed!
DDoS Attack Target Swedish Police Network
Posted by Mourad Ben Lakhoua in Cybercrime, Web Security on November 2, 2009
According to thelocal news Swedish police website was subject for a DDoS attack last week. The result of this attack was a complete disrupt of the official website.
On the High traffic the server can treat about 800 requests per second but during the attack they detected about 400 thousand requests per second which is 5 times more than the normal high traffic.
The number of DDoS-attack has significantly increased to become one of the biggest threats on Internet, by looking at the history the beginning of DDoS attacks were mainly directed to disrupting IRC servers, but on 1997 there were a vulnerability on Microsoft windows TCP/IP that allowed hackers to send a lot of packets using several tools and dosing remote systems, another popular incident were on 2000 by turning down web service for many popular websites like YAHOO ,CNN, eBay and others, October 2002 Root DNS servers experienced a DDoS attack to make 7 of the 13 main servers out of service. And now we are seeing a lot of distributed denial of service (DDoS) attacks against social networking website like Twitter and Facebook…
Stopping DDoS attack depends on the whole internet community by protecting your machine from malware that could be used to run these attacks, the most popular Botnet’s are:
Conficker 10 million + Machine.
Kraken – 495 Thousand Machine.
Srizbi – 315 Thousands Machine.
Bobax – 185 Thousands Machine.
Rustock – 150 Thousands Machine.
Storm – 85 Tousands Machine.
make sure you subscribe to my RSS feed!
What’s wrong with Twitter?
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News, Social Networking, Web Security on August 9, 2009
On the 6th of August Twitter went down for a pretty long period. After a while a brief message was added on the Twitter status says they’re fighting off a DDOS attack right now. Well the most interesting that the distributed denial-of-service attack also affected Facebook, LiveJournal and Google’s Blogger.
The idea of distributed denial-of-service (DDoS) attack on the sites is that computers have been compromised by a viruses or other malware and instructed by the Hacker to visit the specific Web sites all at the same time and repeatedly. The barrage of connection requests overwhelms the target sites, making it so that legitimate Web traffic can’t get through.
So this attack requires tens of thousands of machines in which all forms a botnet and in a few seconds can turn any website dawn, as the case of (Finjan report “Your PC might be traded online– without you knowing about it!”).
To secure yourself from being a part of a botnet network is to install an antivirus with the latest signature and in some time check the netstat command on windows to see if there is any unusual connection with your pc.
make sure you subscribe to my RSS feed!
Finjan report “Your PC might be traded online– without you knowing about it!”
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking on June 18, 2009
Finjan security provider has published a report for a Botnets trading platform. On this platform which is called “Golden Cash” criminals can buy and sell botnets online .Prices vary depending on the location of Botnet. At this report you can find good examples concerning the prices and demands of botnet like in Australia for 1000 infected computer you just have to pay $ 500 and on the same platform “Golden Cash” Criminals can also purchase orders for specific sizes , regions and wait for offers.
According to the report In order to increase the number of botnets, the Golden Cash server installs an FTP grabber to steal credentials used by the computers to run Web sites, and gives the server control over additional legitimate Web sites. Approximately 100,000 domains from around the world were among the stolen FTP credentials.
Finjan shared the technical analyses on there blog and also you can find the report here.
make sure you subscribe to my RSS feed!
Zombies an Increasing Concern
Posted by Mourad Ben Lakhoua in News on May 14, 2009
Computer zombies are out to get you. That may sound like a tagline from a bad B movie, but there’s truth behind it. A “zombie” in the computer lexicon is a computer that has been taken over by a piece of malicious software planted by a hacker typically for the purpose of secretly sending out unauthorized mass e-mail, or spam. That computer could be yours, and you could be totally in the dark about it.
According to a just-released study by computer security software company McAfee, cyber-criminals are having increasing success in commandeering the computers of others through the Internet in this way. McAfee has a vested interest in sounding the alarm. By doing so, it stands to sell more software. But it’s a company that has been around since 1987 and has a good reputation.
In the U.S., fully 18 percent of personal computers have become zombies, which is nearly a 50 percent increase from the previous quarter, according to McAfee Threats Reports: First Quarter 2009.
From our side we should remember that prevention is the best medicine. Make sure that Windows and your antivirus, firewall and other security software up to date. Those precautions will reduce the chances of getting infected. Secure your stuff and Keep working!
[Source: GovTech]
make sure you subscribe to my RSS feed!
Guest blog: Canadian anti-spam laws take an important step forward
Posted by Mourad Ben Lakhoua in Cybercrime on April 28, 2009
The Conservative government in Canada last week introduced the Electronic Commerce Protection Act to help cull sources of spam and other malicious activity from within Canadian borders.
Although it was introduced as “the Government of Canada protecting Canadians” those of us in the industry recognize that this is a global problem, and the amount of spam and other malicious stuff ending up on Canadian’s computers will not likely be significantly impacted as a result.
Our latest threat report had Canadian sources of spam being only 1.1% of the global total, and of course most of that will be from compromised machines forming parts of a botnet.
However, I do think this is a positive step for Canada as a “good neighbour” in the global community. We have seen a lot of previously US-based spam operations move to Canada due to a lack of this type of legislation – hopefully those same people will find it more inconvenient to move further overseas and cease operations.
Another nice thing about this legislation are specific prohibitions on installation of non-desired software such as spyware, keyloggers, adware, etc, during commercial operations.
So, while this is an important step forward, ultimately the spam and malware problem requires a global response.
[Source: Sophos]
make sure you subscribe to my RSS feed!
Conficker wakes up, updates via P2P, drops payload
Posted by Mourad Ben Lakhoua in News, Vulnerabilities & attacks on April 9, 2009
The Conficker worm is finally doing something–updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
[Source: CNET]
SUBSCRIBE
