Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Feike Hacquebord (Senior Threat Researcher)




    Hacktivism and crime is a toxic combination for the health of the Internet. This was shown once again in the recent DDOS attack against Spamhaus.org that peaked at 300 Gbit/s. Spamhaus is a non-profit anti-spam organization that helps to filter spam for millions of Internet users. When Spamhaus goes down a lot of inboxes will be flooded with spam.

    The DDOS attack was allegedly orchestrated by a Dutch webhosting company called Cyberbunker and CB3Rob. This webhosting company has roots in the hacker scene and has hosted Wikileaks and the Pirate Bay in the past. Cyberbunker claims to have a datacenter in a former NATO bunker in the Netherlands. It is not clear whether that is still true today, and what exact role Cyberbunker had in the DDOS attack against Spamhaus. The owner of Cyberbunker/CB3Rob does act as the spokesman of an attack that tries to blast a company away from the Internet as if that is a normal job. Here is where so called hacktivism on the Internet has derailed totally. The boundary between crime and hacktivism has been blurred. A reality check for Cyberbunker is in order.

    Spamhaus claims that Cyberbunker/CB3rob is among the worst webhosting companies in the world. We do see problems ourselves too, but we wouldn’t rate CB3Rob as the worst webhosting company. However, CB3Rob claims that it will host anything except things related to child abuse and terrorism. This may be inspired by an idealistic view that anybody should have an uncensored access to the Internet and inspired cybercriminals as well. This is where hacktivism meets crime – a toxic combination.

    A good illustration that crime corrupts hacktivsm is that the network of Cyberbunker has been used in a BGP hijack of an IP address of a DNS server of Spamhaus (https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/). The DNS servers of Spamhaus are a vital part of its antispam protection. The hijack was an attempt to inject lots of false positives into the spam reputation system of Spamhaus. Though this hijack did not cause a lot of damage as most networks did not accept the hostile BGP announcement, the intention was clear: someone using Cyberbunker/CB3Rob’s network tried to sabotage the spam reputation system of Spamhaus. It does not resemble hacktivism, but rather resembles crime.

    Read the rest of this entry »

     



    Trend Micro has been working and collaborating with law enforcement agencies such as Federal Bureau of Investigation and Office of the Inspector General (OIG) in taking down Rove Digital, an Estonia-based cybercriminal gang. Recently, Valeri Aleksejev, one of the members of Rove Digital pleaded guilty to charges of wire and computer intrusion in the District Court for the Southern District of New York in Manhattan last week.

    Aleksejev served as one of the programmers/coders for the Rove Digital operation. He is only the second person to be successfully extradited to the United States as part of the Rove Digital case. The remaining four suspects, including CEO Vladimir Tsastin, remain in Estonia pending extradition. All six were arrested in November 2011; one suspect remains at large. Sentencing for Aleksejev is expected to occur in May of this year.

    Trend Micro took part in the takedown of Rove Digital by providing information to the law enforcement regarding Rove Digital’s infrastructure. The said investigation and collaboration with industry partners and law authorities started in 2010.

    Rove Digital is known for its click-fraud activities and use of malware like DNS changer Trojans and FAKEAV to gain monetary profit to their victims. Based on our investigation, the perpetrators behind this used DNS Trojans to hijack search results, replacing ads on legitimate websites, and installing other malware. Another means for them to earn profit is installing FAKEAV to users systems. This bogus security software can even cost around $100. For more details on Trend Micro’s investigation on Rove Digital, read our paper, Operation Ghost Click: The Rove Digital Takedown.

     
    Posted in Botnets | Comments Off



    Last Monday, July 9, around 300,000 Internet users lost connectivity because they still had not removed their DNS Changer malware infection. Immediately after the take down of the DNS Changer network infrastructure of Rove Digital on November 8, 2011, the FBI set up clean DNS servers for infected victims. These servers were temporary solutions for the victims who had three months (which was later extended to six months) to clean their infected machines.

    Actually, a major blackout for hundreds of thousands of DNS Changer victims happened before: in fall 2008 when webhosting provider Atrivo went dark. Back then, Rove Digital had most of its computer servers running in the datacenter of Atrivo. In 2008, Atrivo’s going dark resulted in more than half of the rogue DNS servers going down for several days. So during those days, most DNS Changer victims could not use the Internet either.  However soon after, Pilosoft, a webhosting company in New York, came to rescue the criminal operation of Rove Digital. Most of the DNS Changer infrastructure moved to the Pilosoft datacenter. This is just one of the details of the Rove Digital takedown we described in our white paper, which can be downloaded here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_rove_digital_takedown.pdf

    Some media outlets dubbed July 9, 2012 as Internet doomsday. July 9 has passed and it looks like that doomsday prediction did not come true, just like any other doomsday announced by mortals happens to be a non-event.

    However, let me point out that although doomsday did not have massive repercussions, this doesn’t say that there was no damage done.

    300,000 computers (others estimate it at about 500,000) going offline worldwide may not have any measurable effect, but loss of productivity and computer repair costs are real concerns. This might even translate to millions of dollars. Let me be clear, though: Rove Digital is responsible for this damage, not the FBI, nor any other party. Since the victims are spread all over the world, we do not expect to hear complaints. Moreover, a lot of the large ISPs in the US and Canada have carefully prepared for this Internet doomsday. Some of these ISPs have been very successful with cleaning up machines of infected customers, often with help of the DNS Changer Working Group (DCWG). Trend Micro is one of the first industry partners of DCWG, and the only AV vendor acting as a main contributor during the investigation period before the Rove Digital suspects were arrested in 2011. Later, companies like Google and Facebook joined. On a scale never seen before, both companies showed warning messages to their users who were infected with the DNS Changer malware.

    All the great work of DCWG helped to reduce the number of infections a lot, but the last 300,000 – 500,000 infected users somehow cannot be reached by Facebook, Google, and mainstream media around the world. This remains somewhat a mystery to me.

     
    Posted in Botnets, Malware | Comments Off



    …if there’s actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely.
    —Konstantin Poltev (spokesman of Esthost/Rove Digital), October 13, 2008

    In the past, some cybercriminals have been so brazen that they publicly declared chances they will ever be caught are slim. Today, however, it is time for them to think again. In 2011, historic steps were taken in the battle against cybercrime. Collaboration between law enforcement and the security industry led to important takedowns and arrests. Here are some of the highlights of 2011.

    Rustock

    On March 16, 2011, Microsoft took down the Rustock spam botnet. The simultaneous takedown of all of its command-and-control (C&C) servers led to the true death of the Rustock botnet. The Rustock zombies could not be resurrected because Microsoft made sure that all of the hard-coded domains Rustock used were no longer made available to bad actors. The gang behind the botnet was not arrested but Microsoft published advertisements in Russian newspapers offering a US$250,000 reward for anyone who gave information that led to the identification, arrest, and conviction of the minds behind Rustock. Microsoft’s lawyers used novel legal arguments to convince a federal court in Seattle that it had the right to seize the Rustock servers. This set an important legal precedent for future cases.

    Kelihos

    Taking down a large spam botnet has a huge impact on the spam volume and makes the Internet a safer place for everyone. However, some bad actors won’t stop committing crimes even if their botnet is taken down and even if bounty hunters are looking for them. Consider the case of the Kelihos spam botnet, believed to have been written by the same people responsible for Waledac, another botnet taken down in 2010.

    In September 2011, Microsoft once again convinced a federal judge to allow it to block all of the IP addresses and domains Kelihos’s C&C servers used without first informing the defendants. One of the defendants was explicitly named in the complaint—the owner of the cz.cc domain, one of the domains taken offline. This was a remarkable step as cz.cc was a so-called rogue second-level domain (SLD) name. The takedown of cz.cc meant that hundreds of thousands of subdomains, which were either illegitimately used or were used for Kelihos’s C&C servers, were taken offline. This sets an example for all other rogue SLDs to be more accountable for abuse incidents.

    CoreFlood

    CoreFlood was a botnet made up of hundreds of thousands of computers infected with a data-stealing Trojan. This particularly dangerous botnet was dismantled by the FBI in April 2011. The FBI took over its C&C servers and operated these until mid-June 2011. The FBI sent a stop command to the bots in the United States, causing the malware to exit. This was the first time the U.S. government took over the C&C infrastructure of a botnet and pushed a command to the bots so these became unreachable to the botmasters.

    Read the rest of this entry »

     



    On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners.

    In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.

    The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.

    DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.

    A variety of methods of monetizing the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.

    Click for larger view Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice