Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Feike Hacquebord (Senior Threat Researcher)




    Last Monday, July 9, around 300,000 Internet users lost connectivity because they still had not removed their DNS Changer malware infection. Immediately after the take down of the DNS Changer network infrastructure of Rove Digital on November 8, 2011, the FBI set up clean DNS servers for infected victims. These servers were temporary solutions for the victims who had three months (which was later extended to six months) to clean their infected machines.

    Actually, a major blackout for hundreds of thousands of DNS Changer victims happened before: in fall 2008 when webhosting provider Atrivo went dark. Back then, Rove Digital had most of its computer servers running in the datacenter of Atrivo. In 2008, Atrivo’s going dark resulted in more than half of the rogue DNS servers going down for several days. So during those days, most DNS Changer victims could not use the Internet either.  However soon after, Pilosoft, a webhosting company in New York, came to rescue the criminal operation of Rove Digital. Most of the DNS Changer infrastructure moved to the Pilosoft datacenter. This is just one of the details of the Rove Digital takedown we described in our white paper, which can be downloaded here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_rove_digital_takedown.pdf

    Some media outlets dubbed July 9, 2012 as Internet doomsday. July 9 has passed and it looks like that doomsday prediction did not come true, just like any other doomsday announced by mortals happens to be a non-event.

    However, let me point out that although doomsday did not have massive repercussions, this doesn’t say that there was no damage done.

    300,000 computers (others estimate it at about 500,000) going offline worldwide may not have any measurable effect, but loss of productivity and computer repair costs are real concerns. This might even translate to millions of dollars. Let me be clear, though: Rove Digital is responsible for this damage, not the FBI, nor any other party. Since the victims are spread all over the world, we do not expect to hear complaints. Moreover, a lot of the large ISPs in the US and Canada have carefully prepared for this Internet doomsday. Some of these ISPs have been very successful with cleaning up machines of infected customers, often with help of the DNS Changer Working Group (DCWG). Trend Micro is one of the first industry partners of DCWG, and the only AV vendor acting as a main contributor during the investigation period before the Rove Digital suspects were arrested in 2011. Later, companies like Google and Facebook joined. On a scale never seen before, both companies showed warning messages to their users who were infected with the DNS Changer malware.

    All the great work of DCWG helped to reduce the number of infections a lot, but the last 300,000 – 500,000 infected users somehow cannot be reached by Facebook, Google, and mainstream media around the world. This remains somewhat a mystery to me.

     
    Posted in Botnets, Malware | Comments Off



    …if there’s actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely.
    —Konstantin Poltev (spokesman of Esthost/Rove Digital), October 13, 2008

    In the past, some cybercriminals have been so brazen that they publicly declared chances they will ever be caught are slim. Today, however, it is time for them to think again. In 2011, historic steps were taken in the battle against cybercrime. Collaboration between law enforcement and the security industry led to important takedowns and arrests. Here are some of the highlights of 2011.

    Rustock

    On March 16, 2011, Microsoft took down the Rustock spam botnet. The simultaneous takedown of all of its command-and-control (C&C) servers led to the true death of the Rustock botnet. The Rustock zombies could not be resurrected because Microsoft made sure that all of the hard-coded domains Rustock used were no longer made available to bad actors. The gang behind the botnet was not arrested but Microsoft published advertisements in Russian newspapers offering a US$250,000 reward for anyone who gave information that led to the identification, arrest, and conviction of the minds behind Rustock. Microsoft’s lawyers used novel legal arguments to convince a federal court in Seattle that it had the right to seize the Rustock servers. This set an important legal precedent for future cases.

    Kelihos

    Taking down a large spam botnet has a huge impact on the spam volume and makes the Internet a safer place for everyone. However, some bad actors won’t stop committing crimes even if their botnet is taken down and even if bounty hunters are looking for them. Consider the case of the Kelihos spam botnet, believed to have been written by the same people responsible for Waledac, another botnet taken down in 2010.

    In September 2011, Microsoft once again convinced a federal judge to allow it to block all of the IP addresses and domains Kelihos’s C&C servers used without first informing the defendants. One of the defendants was explicitly named in the complaint—the owner of the cz.cc domain, one of the domains taken offline. This was a remarkable step as cz.cc was a so-called rogue second-level domain (SLD) name. The takedown of cz.cc meant that hundreds of thousands of subdomains, which were either illegitimately used or were used for Kelihos’s C&C servers, were taken offline. This sets an example for all other rogue SLDs to be more accountable for abuse incidents.

    CoreFlood

    CoreFlood was a botnet made up of hundreds of thousands of computers infected with a data-stealing Trojan. This particularly dangerous botnet was dismantled by the FBI in April 2011. The FBI took over its C&C servers and operated these until mid-June 2011. The FBI sent a stop command to the bots in the United States, causing the malware to exit. This was the first time the U.S. government took over the C&C infrastructure of a botnet and pushed a command to the bots so these became unreachable to the botmasters.

    Read the rest of this entry »

     



    On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners.

    In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.

    The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.

    DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.

    A variety of methods of monetizing the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.

    Click for larger view Read the rest of this entry »

     



    In this blog post, we present concrete evidence that the recent compromise of Dutch certification authority DigiNotar was used to spy on Iranian Internet users on a large scale.

    We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack.

    Rogue SSL Certificates for Man-in-the-Middle Attacks

    SSL certificates are used for secure Web sessions like Internet banking and Google’s Gmail. Certification authorities issue and check the authenticity of SSL certificates. In July 2011, hackers managed to create rogue SSL certificates for hundreds of domain names, including google.com and even the entire .com top-level domain by breaking into the systems of certification authority DigiNotar in the Netherlands. This is very dangerous, as these rogue SSL certificates can be used in man-in-the-middle attacks wherein encrypted secure Web traffic can be read by a third party.

    On August 29, 2011, the rogue Google.com SSL certificate issued by DigiNotar was discovered. This rogue certificate makes snooping on Gmail traffic possible in man-in-the-middle attacks. Trend Micro has concrete evidence that these man-in-the-middle attacks indeed happened in Iran on a large scale.

    Our evidence is based on data that the Trend Micro Smart Protection Network has collected over time. The Trend Micro Smart Protection Network constantly analyzes data from the feedback of millions of customers around the world, including what domain names are accessed from which parts at a particular time. This feedback data makes it possible to protect against newly seen attack vectors in the blink of an eye.

    Read the rest of this entry »

     



    The WikiLeaks main domain, Wikileaks.org, currently redirects to mirror.wikileaks.info. The latter site is hosted on IP address 92.241.190.202 registered to Heihachi Ltd. Heihachi Ltd. is known as a bulletproof, blackhat-hosting provider in Russia that is a safe haven for criminals and fraudsters. It hosts a long list of criminally related domains. Among these domains are banking fraud domains, carders’ (criminals who trade stolen credit card information) websites, malware sites, and phishing sites. No matter what your political view is, this is rather disturbing.

    We at Trend Micro are committed to protecting our customers against threats on the Internet. The Trend Micro™ Smart Protection Network™ automatically assigns a very low reputation score to domain name wikileaks.info not because of political controversy but because of actual facts about the bad neighborhood where this domain name is hosted. To give you an idea, here are some illustrious neighbors: paypal-securitycenter.com, carders.kz, idchecking.ir (phishing), and postbank-sicherung.com.

    We don’t know whether wikileaks.org has perhaps been compromised or whether WikiLeaks is knowingly getting services from a blackhat provider. Either way, we assess the wikileaks.info domain as highly risky and we do not recommend visiting this site as long as it is hosted by Heihachi Ltd.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice