Posts filed under 'Botnet'
April 29th, 2008 by Paul Ferguson (Advanced Threats Researcher)
While most of the cyber crime activities that we see being conducted on The Internet are being driven by illicit financial incentives, there also appears to be type of malicious activity being driven by other motivations altogether – “Hacktivism”.
Hacktivism is best explained as a combination of “hacking” and “activism”, traditionally rooted in cultural and/or geopolitical unrest. As Wikipedia defines it, Hacktivism is “…the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends. These tools include web site defacements, redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual sabotage, and software development.”
In fact, Hacktivist incidents stretch back over 20 years, but only in the past couple of years have they become more frequent, and more devastatingly malicious.
The most notable incident of regional Hacktivism were the Distributed Denial of Service (DDoS) attacks against government and corporate websites in Estonia in 2007, which actually began a worldwide dialog on the real threat of “Cyber Attacks” and the impact on national infrastructure.
However, the latest victims of Hacktivism appear to be several U.S. websites in Eastern Europe belonging to Radio Free Europe/Radio Liberty. It was reported Monday that “…the attack, which started on April 26, initially targeted the website of RFE/RL’s Belarus Service, but quickly spread to other sites…”
According to a statement on the Radio Free Europe/Radio Liberty website, RFE/RL had been “…hit before by denial-of-service attacks, but this attack was unprecedented in its scale, as RFE/RL websites received up to 50,000 fake hits every second.”
While incidents of Hacktivism are not new, they are beginning to become a lot more frequent — perhaps due to the availability of tools to conduct hacktivist mischief, but also perhaps due to the ubiquitous social networking mechanisms which can now be used as to build consensus when times of cultural or political unrest present the opportunity.
In any event, Hacktivism is becoming a disturbing trend, and one which can have serious ripple effects that interfere with Internet operational continuity — sometimes in ways which we may have not even thought of yet.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
March 31st, 2008 by Robert McArdle (Threats Analyst)
We’ve spotted a new variant of a well-known threat cashing in on April Fool’s Day in the last few hours. Anyone want to hazard a guess as to what it is?
Wasn’t that hard of a question, I guess. The Storm gang is at it again.
Too lazy to actually create their own image to represent the holiday, the group simply Googled “April Fools” and used the first image that showed up. So far emails are being spammed out with the Subject Line “April Fool’s Day”, and the executables on the site are called foolsday.exe or funny.exe. However if the gang’s past behavior is any indication, these file names will change several times over the next 48 hours to similarly themed names. They’ve already added Kickme.exe in the time it took me to type this.
Needless to say, Trend Micro customers are already being protected using our Web Threat Protection technology — blocking access to the sites themselves, preventing the user from any exposure to the threat. We are also adding detection proactively for the binary files themselves.
Overall I doubt that this incident will be remembered in the same way as other classics such as the value of pi being changed to 3.0 and the hotheaded naked ice borer, but this is definately one prank you do not want to fall for.
Robert McArdle, Senior AntiVirus Specialist
March 27th, 2008 by Carolyn Guevarra (Technical Communications)
Virus Coordinator for Trend Micro Latin America Jose Lopez Tello recently discovered a very interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month.
Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico.
However, instead of using the DNS poisoning method as the past attacks, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider.
Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting eCard that a user receives via email. This eCard contains a link, which when clicked downloads the malicious file Gusanito.exe.
Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer using the following simple script:
dns name= source=static addr=[IP address] register=PRIMARY
Thus, when the user attempts to access www.banamex.com, he is redirected to a phishing Web site (which is actually located at the same fake DNS server).
The Botnet client code (BKDR_VBBOT.AE) also opens an IRC connection to the yet another, different US-based host and channel to wait for commands from its botmaster, which is intended actually to send more of the same, original, bogus eCard greeting emails.
As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting eCards at this very moment. “In fact, you can see all the list emails that will be targeted,” says Tello.
The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this.
(Thanks to Paul Ferguson for additional technical background.)
-Update: March 29, 2008-
BKDR_VBBOT.AE was renamed to WORM_KELVIR.EI.
February 27th, 2008 by Macky Cruz (Technical Communications)
We have recently blogged about big botnet contender Mega-Dik, to remind people of the pervasiveness of botnets today (and that Storm is not the only force to reckon with in terms of illicitly-acquired distributed computing power).
It is thus with great cheer that we pick up this report from Calgary Herald’s Ravensbergen. After observing the activities of the suspected hacking ring in an investigation stretching as far back as 2006, the Quebec police, headed by Capt. Frederick Gaudreau, was able to apprehend 17 people (ages at 17 to 26) in raids conducted almost a week ago in 12 towns across the province.
By using remote-access software, these people (one of which is a 19-year-old woman) were able to extend control to around a million computers in more than a hundred countries. Zombified computers were made to conduct various spamming and phishing activities on behalf of the bot masters. Victims of this gang were from Poland, Brazil, Mexico, Manitoba and the US, amongst others, and the estimated total damages to governments (which the police choose not to name as of this writing), businesses and homes, was pegged by Gaudreau at $45M.
The suspects to these computer-related crimes enabled by the botnet are set to appear in court today to answer charges for illegally obtaining computer services (10 years max in jail), but more may follow after forensic analysis of hardware confiscated during the raids. The entire operation consumed a lot of manpower as hundreds of Quebec police and Royal Canadian Mounted Police officers were said to have worked together to take this group down. But in any case, this victory only goes to show the seriousness with which authorities across the world are taking crimes committed online.
Other news sites report this bust here and here.
February 11th, 2008 by David Sancho (Threats Analyst)
As we had already forecast last month, Storm is already sending their Valentine greetings this week. The owners of this powerful botnet are doing as much as possible to keep their size up. This includes spamming people with messages containing plain text and making them click on malicious links. They may arrive looking like these two email messages:
This time around, the messages are of love.
The spammed messages contain a link that leads to malicious Web sites displaying one of eight cute Valentine images shown below.
As usual, if you run the executable named VALENTINE.EXE, your system will inevitably join the Storm botnet to start spamming other Internet users…not very loving of them, right? In any case, have a happy (and Storm-free) Valentine’s Day!
Update by Lordian Mosuela, Escalation Engineer:
Here are a couple of samples of how the images above appear inside the Web sites referred to by the spammed email messages:
Below is the source code of the Web page in the spammed email message in the first image. Unlike other NUWAR Web pages that use Defanged HTML scripts, this new variant was rather straightforward. Users are able to see quite plainly that the image was referenced to a file named VALENTINE.EXE.
Upon clicking the image in the Web page, the user is prompted to download the mentioned file.
There were no changes in this new NUWAR variant’s main P2P routine. The only difference is that the malware author created a new executable module that is capable of loading a kernel service file driver which uses an anti-emulation technique with the use of dummy APIs (Application Programming Interface) in order to bypass antivirus detection.
The executable is detected by Trend Micro as WORM_NUWAR.AR.
Additional images provided by Lalaine Gregorio of the Content Security Team
Previous Posts
