Tag Archive for Botnet

RB | March 13, 2010
No comments

Smartphone Botnet

Two researchers from TippingPoint’s Digital Vaccine Group duped thousands of iPhone and Android smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application. Kelly Jackson Higgins at DarkReading writes that Derek Brown and Daniel Tijerina created a smartphone application called WeatherFist. Over 8,000 users downloaded WeatherFist, which grabbed information from users, including their GPS co-ordinates and telephone numbers, before displaying local weather information.

The researchers chose not to distribute their application via the official iPhone and Android application stores, rather TippingPointthey distributed the WeatherFist application via third-party app markets like Cydia, SlideME and Modmyi. The apps could only be installed on jailbroken iPhones or Android devices where users had specifically given permission for non-approved applications to be run. “We wanted people to feel comfortable using the application and putting it on their phone so we would have permission to do a lot of things like pass GPS coordinates, write to the file system, and surf,” Brown told DarkReading.

At the 2010 RSA Security Conference the researchers claimed they also wrote a malicious version of their WeatherFist application, which they dubbed WeatherFistBadMonkey. According to the DarkReading report, the malicious app behaves more like traditional botnet code, stealing information and capable of distributing spam. “We could enable or disable system services [with a malicious app],” Brown says. The TippingPoint researchers told Dark Reading they wanted to prove how an app could behave like much of the traditional Windows malware which, steals information, and allows hackers to gain remote control of hijacked devices.

rb-

Smartphones are a part of  today’s network and Brown and Tijerina claim that the results of this research shows a security hole in networks. Some of the ways to plug these new holes are to:

  1. Update policies for the  proper use of smartphones
  2. Prohibit unsafe modifications of smartphones
  3. Allow apps only from reputable app stores
  4. Provide training on smartphone application usage
  5. Lock down the Wi-Fi network settings to keep smartphones from ‘phoning home’ any information that shouldn’t leave the firm.
Category: Security | Tags: ,
RB | January 21, 2010
No comments

SPAM Decline?

PC World chronicles how analysts at the a California based security company FireEye executed a plan to shut down the Mega-D botnet in early November 2009. At one point the Mega-D botnet reportedly accounted for 32 percent of all spam. In order to shutdown this threat, Afit Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure.

According to the article, the botnet’s command infrastructure was its weak-point. The Mega-D malware infesting PC’s was directed from online command and control (C&C) servers throughout the world. If the bots could be separated from their controllers, the researchers found that the undirected bots would sit idle on the PC’s not delivering their malware. Mushtaq found that every Mega-D bot had been assigned a list of additional destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.

To set up the coordinated attach the FireEye team first contacted Internet Service Providers (ISP’s) that hosted Mega-D control servers. Mushtaq’s research showed  that most of the Mega-D C&C servers were based in the United States, with one in Turkey and another in Israel. The FireEye team received cooperation for the US based IPS’s but not the overseas ISPs. The Mushtaq team took down the U.S. based C&C servers.

Since the ISP’s in Israel and Turkey refused to cooperate, PC World reports that Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to nowhere. This cut off the botnet’s pool of domain names that bots would use to reach Mega-D-affiliated C&C servers overseas ISPs.

As a last step, PC World says that FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming and pointed them to “sinkholes” (servers FireEye had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

MessageLabs reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three after, FireEye’s action Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. “FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks in the PC World article, “The question is, will it have a long-term impact?”

Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful. Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Rb-

The Daily Average SPAM Received (DASR) index reached an all-time low in December 2009. The DASR for December 2009 was 29.4. The trend was on the decline since its all time high in May 2008 of 77.5, but this seems different.

The impacts of the Fire-Eye operations seem longer lasting. The DASR stayed down through December and into the New Year. The month-to-date DASR index for January 2010 is a paltry 15.

Even after the McColo take down in November 2008, the DASR never reached this low level.  Hopefully Spammers have seen the error in their ways, repented and found something else to do, but more likely is they have reloaded with new ammo as the exploit social networks, Adobe, IE and Google.

Category: Malware, Security | Tags: , ,
RB | December 21, 2009
No comments

Bots Attacking Servers

malware fsecureWeb servers, FTP servers, and even SSL servers are becoming prime targets for botnet operators, not as command and control servers says Mikko Hypponen, chief research officer at F-Secure, in a recent DarkReading article, “but in some cases to execute high-powered spam runs.

Botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth says Joe Stewart, director of malware research for SecureWorks. These bots are typically used as spamming engines: “The general purpose of these attacks is to send spam, either email spam or blog spamming,” Stewart told DarkReading. “The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out.”

ftp Marc Maiffret, chief security architect at FireEye says he expects trusted and legitimate Websites will start to become the source of the majority of Web attacks in 2010. “I think that the focus there on servers is really again more to help more easily infect a larger number of desktops,” Maiffret says.”You can think of this SQL/Web-spread vector as the modernized version of what use to happen with email and such many years ago.”

“FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Hypponen. Botnets often use stolen FTP credentials to break into other parts of the system, says Bill Ho, vice president of Internet products for Biscom. “FTP is being used to transfer bot code to other machines, servers, and users,” Ho says. “If the FTP server is not secured properly and an FTP site has access to other parts of the system with vulnerabilities, the attacker can install [malware] at that location and infect and compromise that server.”  Paul French, vice president of products and solutions marketing for Axway laments that. “FTP is pretty ubiquitous … The reality is that FTP has been around long enough for people to know the risks associated with it. But sometimes convenience outweighs good IT security [practices].”

ssl“Another thing we’ve noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads” according to Hyppomen.

Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, DarkReading concludes.

Enhanced by Zemanta
Category: Malware, Security | Tags: , , , , , ,
RB | October 10, 2009
No comments

Size Dosen’t Matter for Botnets

botnet-computers2DarkReading points out a new report released on 09-29-09 from researchers at Symantec’s MessageLabs unit which provides a detailed analysis of the size and output of current botnets. One of the report’s conclusions: Size doesn’t always matter.

Rustock, for example, is still the largest of the botnets, with an estimated size of between 1.3 million and 1.9 million nodes. Cutwail is next in size, with an estimated 1 million to 1.5 million bots.

But neither of these two botnets is the largest proliferator of spam, according to Paul Wood, senior analyst at symantecMessageLabs and one of the authors of the report. That title goes to a rapidly emerging botnet called Grum, which delivered an average of 39.9 billion spam messages per day last quarter — more than 23 percent of all the spam on the Internet.

“Despite the fact that it’s half the size of Rustock, Grum is generating much more spam,” Wood says. “It’s getting each bot to do a lot more work.”

Bobax, a botnet that has been around for more than two years, is also becoming more efficient, generating more than 27 billion messages per day and 15.2 percent of all Internet spam, the report says. That means each Bobax node generates more than 1,400 spam messages per minute.

Botnet operators have discovered that many ISPs don’t immediately recognize the huge output of individual bots because each bot’s performance is affected only on the upload, not on the download, Wood says. “Your computer might be a bot, but it might not affect your download performance very much,” he observes. “It’s only when users try to upload something and experience a performance problem that the ISP gets a complaint.”

As they become more sophisticated, botnet operators are finding ways to make their infrastructures more efficient, Wood says. A new botnet, Maazben, accounted for only 0.5 percent of Internet spam 30 days ago, but now is generating 4.5 percent — about 2.4 billion messages a day — at its peak. As with Bobax, each Maazben bot is highly productive, pushing out nearly 1,300 spam messages per minute.

No matter what their size or how efficiently they operate, botnets clearly are at the heart of the spam problem, MessageLabs says. According to the report, botnets generated an average of more than 150 billion messages per day last quarter — nearly 88 percent of all the spam on the Internet.

“The takedown of ISPs like McColo definitely helped, but it doesn’t solve the problem,” Wood says. “Already we see botnet operators spreading traffic across multiple ISPs, effectively giving themselves better backup than some enterprises have.”

Category: Networking, Security | Tags: ,
RB | May 9, 2009
No comments

Lessons From Botnet Demise

botnet-computers2Brian Krebs on the Washington Post blog Security Fix profiled a case where a bot-herder killed 100,000 zombie clients in his botnet. The bot-herder implemented a “kill operating system” or kos command resident in the Zeus bot-net crimeware . The kos command caused the infected PC’s to Blue Screen of Death (BSOD).  The Madrid based security services firm S21sec reports that invoking the kos command only results in a blue screen and subsequent difficulty booting the OS. There appears to be no significant data loss and neither the Trojan binaries nor the start-up registries are removed, In this post they examine what happens to an infected computer when it receives a Zeus kos

The Zeus crimeware, designed by the Russian A-Z to harvest financial and personal data from PCs through the use of a Trojan. UK Computer security firm Prevx found the Zeus crimeware available for just $4,000, The fee includes a DIY “exe builder” which incorporates a kernel level rootkit. According to the Prevx this means it can hide from even the most advanced home or corporate security software. RSA detailed the capabilities of Zeus crimeware in 2008.  Zeus also includes advanced “form injection capabilities” allowing it to modify web pages displayed by web sites as they are served on the user’s PC. For example, criminals can add an extra field or fields to a banking web site asking for credit card numbers, social security numbers, etc. making it look like the bank is asking you for this data after you have logged on and you believe you are securely connected to your bank.

rb-

The reason for BSODing 100,000 machines isn’t quite clear, but several security experts have offered up their opinions including  S21sec and Zeustracker (currently down due to an apparent DDOS). What is clear are  the implications of this action. Botnets and their related crimeware are dangerous for more and more reasons. They can steal massive amounts of personal data, They can launch denial-of-service attacks and they can execute code. I agree with Krebs that the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker.

For the time being, it is still in the best interests of the attackers to leave the compromised systems in place to plunder more information. However imagine the socail chaos created if 9 million PCs infected with Conflicker incluing hosiptals from Utah the to UK were under the control of Al-Queda or other similirly minded groups. These politically motivated attackers could order all of the infected machines to BSOD, creating computer enhanced chaos. One of the forgotten lessons of 9-11 is that our technology can be hi-jacked and turned against us.  This could be the opening into new type of cyber warfare.

Category: Malware, Networking, Security | Tags: , ,
  Recent Entries »

Switch to our mobile site