An anonymous reader writes "A team of researchers at the TU Berlin and RWTH Aachen presented an analysis of the Internet Census 2012 data set (here's the PDF) in the July edition of the ACM Sigcomm Computer Communication Review journal. After its release on March 17, 2013 by an anonymous author, the Internet Census data created an immediate media buzz, mainly due to its unethical data collection methodology that exploited default passwords to form the Carna botnet. The now published analysis suggests that the released data set is authentic and not faked, but also reveals a rather chaotic picture. The Census suffers from a number of methodological flaws and also lacks meta-data information, which renders the data unusable for many further analyses. As a result, the researchers have not been able to verify several claims that the anonymous author(s) made in the published Internet Census report. The researchers also point to similar but legal efforts measuring the Internet and remark that the illegally measured Internet Census 2012 is not only unethical but might have been overrated by the press."
Follow Slashdot stories on Twitter
An anonymous reader writes Bitdefender has discovered that a new variant of the Trojan component, Pushdo, has emerged. 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey. Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.
msm1267 (2804139) writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit. Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of "tiny banker," and researchers say that it's only about 20 KB in size."
New submitter tylke (621801) writes: "Brian Krebs is reporting that the Gameover ZeuS botnet recently taken down by the U.S. Justice Department in June has re-emerged. The new variant of the Trojan is "stripped of the P2P code, and relies instead on an approach known as fast-flux hosting," a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind a network of compromised systems. Krebs says, "[T]his variant also includes a 'domain name generation algorithm' or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters). In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there." (Disclosure: I work for Malcovery Security, the company credited with identifying the new variant.)
chicksdaddy writes: When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP. The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston, she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.
tsu doh nimh (609154) writes "The U.S. Justice Department announced today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and that the botnet is responsible for more than $100 million in losses from online banking account takeovers. The government alleges that Gameover also was rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes. In a complaint unsealed today, the DOJ further alleges that ZeuS and Gameover are the brainchild of a Russian man named Evgeniy Mikhailovich Bogachev, a.k.a. 'Slavik.'"
An anonymous reader writes "Brian Krebs has a followup to this week's 400 Gbps DDoS attack using NTP amplification. Krebs, as a computer security writer, has often been the target of DDoS attacks. He was also hit by a 200Gbps attack this week (apparently, from a 15-year-old in Illinois). That kind of volume would have been record-breaking only a couple of years ago, but now it's just normal. Arbor Networks says we've entered the 'hockey stick' era of DDoS attacks, as a graph of attack volume spikes sharply over the past year. CloudFlare's CEO wrote, 'Monday's DDoS proved these attacks aren't just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.' In a statement to Krebs, he added, 'We have an attack of over 100 Gbps almost every hour of every day.'"
Slashdot contributor Bennett Haselton writes: "A California company called Shape Security claims that their network box can disable malware attacks, by using polymorphism to rewrite webpages before they are sent to the user's browser. Most programmers will immediately spot several ways that the system can be defeated, but it may still slow attackers down or divert them towards other targets." Read on for the rest of Bennett's thoughts.
An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
tsu doh nimh writes "Authorities in Europe joined Microsoft Corp. this week in disrupting 'ZeroAccess,' a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers. KrebsOnSecurity.com writes that it remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term, but for now the PCs infected with the malware remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer architecture in which new instructions and payloads are distributed from one infected host to another. The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers, including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred. Europol has a released a statement on this action, and Microsoft has published a large number of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators and shut down the botnet."
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
CowboyRobot writes "The incentives are high for many businesses and government agencies to not be too heavy handed in combating the global botnet pandemic. There's money to be had and, with each passing day, more interesting ways are being uncovered in how to package the data, and how to employ it. It used to be that the worlds of bug hunters and malware analysts were separate and far between. In the last couple of years the ability to analyze malware samples and identify exploitable vulnerabilities in them has become very important. Given that some botnets have a bigger pool of victims than many commercial software vendors have licensed customers, the value of an exploit that grants reliable remote control of a popular malware agent is rising in value. In many ways, botnets have become a golden goose to those charged with gathering intelligence on the populations of foreign entities. The bulk of the victim's data is useful for mapping populations, communication profiles, and as egress points for counter intelligence exercises. Then, given how many botnet victims there are, the probability that a few 'interesting' computers will have succumbed along the way is similarly high — providing direct insight in to a pool of high value targets."
An anonymous reader points out The Register's report that Wi-Fi security expert Cédric 'Sid' Blancher has died as the result of a skydiving accident. "Among other things, the 37-year-old Blancher was a sought-after speaker on WiFi security, and in 2005 published a Python-based WiFi traffic injection tool called Wifitap. In 2006, while working for the EADS Corporate Research centre, he also put together a paper on how to exploit Skype to act as a botnet." Some of Blancher's skydiving videos are posted to Vimeo; clearly, it's something he was passionate about.
Daniel_Stuckey writes "Check out the Digital Attack Map. It was produced in a collaborative effort by Google Ideas and Arbor Networks to raise awareness about distributed denial of service attacks. You know, those malicious digital attempts to choke, or shutdown websites by sending them volumes of traffic far too large for them to handle. The map 'surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day,' as its about page explains. Created using attack data from Arbor's 'ATLAS® global threat intelligence system,' this is the D.A.R.E. of DDoS — it's about the danger of having information streams cut off. Under the heading 'DDoS Attacks Matter,' Google and Arbor explain that 'sites covering elections are brought down to influence their outcome, media sites are attacked to censor stories, and businesses are taken offline by competitors looking for a leg up.'" This comes alongside Google's announcement of Project Shield, the company's homegrown DDoS mitigation service.
badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe."
judgecorp writes "A sinkhole has taken a quarter of the bots out of the ZeroAcess botnet which was making money for its operators through click fraud and Bitcoin mining. This particular Bitcoin mining operation was only profitable through the use of stolen electricity — according to Symantec, which operated the sinkhole, ZeroAccess was using $561,000 of electricity a day on infected PCs, to generate about $2000 worth of Bitcoin."
gewalker writes "Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis." And they had access for months to most of them. From the article: The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called nbc.exe was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet." The companies compromised aggregated data for things like "credit decisions, business-to-business marketing and supply chain management. ... employment background, drug and health screening."
hypnosec writes "A cyber defense and IT security company has claimed that the reason behind recent surge in number of clients connecting to Tor is in fact a relatively unknown botnet and not NSA or genuine adoption of Tor. In late August there was a huge increase in Tor network traffic and number of clients connecting to the Tor network. As of this writing number of connections has quadrupled with over 2,500,000 clients connecting to the network. According to Fox-it, the surge in traffic is because of a botnet dubbed 'Mevade.A,' which is known to have Tor connectivity features. The company noted that the botnet may have links to a previously detected botnet dubbed 'Sefnit,' which also featured Tor connectivity. Fox-it claimed that they have found "references that the malware is internally known as SBC to its operators.""
An anonymous reader sends this news from the Washington Post: "U.S. intelligence services carried out 231 offensive cyber-operations in 2011, the leading edge of a clandestine campaign that embraces the Internet as a theater of spying, sabotage and war, according to top-secret documents [from Edward Snowden]. Additionally, under an extensive effort code-named GENIE, U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. Budget documents say the $652 million project has placed 'covert implants,' sophisticated malware transmitted from far away, in computers, routers and firewalls on tens of thousands of machines every year, with plans to expand those numbers into the millions. ... The implants that [an NSA group called Tailored Access Operations (TAO)] creates are intended to persist through software and equipment upgrades, to copy stored data, 'harvest' communications and tunnel into other connected networks. This year TAO is working on implants that “can identify select voice conversations of interest within a target network and exfiltrate select cuts,” or excerpts, according to one budget document. In some cases, a single compromised device opens the door to hundreds or thousands of others."