Posts Tagged ‘Botnet’

Popular download management program has hidden DDoS component, researchers say

Friday, August 23rd, 2013

Recent versions of Orbit Downloader, a popular Windows program for downloading embedded media content and other types of files from websites, turns computers into bots and uses them to launch distributed denial-of-service (DDoS) attacks, according to security researchers.

Starting with version released in December, the Orbit Downloader program silently downloads and uses a DLL (Dynamic Link Library) component that has DDoS functionality, malware researchers from antivirus vendor ESET said Wednesday in a blog post.

The rogue component is downloaded from a location on the program’s official website,, the ESET researchers said. An encrypted configuration file containing a list of websites and IP (Internet Protocol) addresses to serve as targets for attacks is downloaded from the same site, they said.

Orbit Downloader has been developed since at least 2006 and judging by download statistics from software distribution sites like CNET’s and it is, or used to be, a popular program.

Orbit Downloader was downloaded almost 36 million times from to date and around 12,500 times last week. Its latest version is and was released in May.

In a review of the program, a CNET editor noted that it installs additional “junk programs” and suggested alternatives to users who need a dedicated download management application.

When they discovered the DDoS component, the ESET researchers were actually investigating the “junk programs” installed by Orbit Downloader in order to determine if the program should be flagged as a “potentially unwanted application,” known in the industry as PUA.

“The developer [of Orbit Downloader], Innoshock, generates its revenue from bundled offers, such as OpenCandy, which is used to install third-party software as well as to display advertisements,” the researchers said, noting that such advertising arrangements are normal behavior for free programs these days.

“What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks,” they said.

The rogue Orbit Downloader DDoS component is now detected by ESET products as a Trojan program called Win32/DDoS.Orbiter.A. It is capable of launching several types of attacks, the researchers said.

First, it checks if a utility called WinPcap is installed on the computer. This is a legitimate third-party utility that provides low-level network functionality, including sending and capturing network packets. It is not bundled with Orbit Downloader, but can be installed on computers by other applications that need it.

If WinPcap is installed, Orbit’s DDoS component uses the tool to send TCP SYN packets on port 80 (HTTP) to the IP addresses specified in its configuration file. “This kind of attack is known as a SYN flood,” the ESET researchers said.

If WinPcap is not present, the rogue component directly sends HTTP connection requests on port 80 to the targeted machines, as well as UDP packets on port 53 (DNS).

The attacks also use IP spoofing techniques, the source IP addresses for the requests falling into IP address ranges that are hardcoded in the DLL file.

“On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam,” the ESET researchers said.

After adding a detection signature for the DLL component, the ESET researchers also identified an older file called orbitnet.exe that had almost the same functionality as the DLL file, but downloaded its configuration from a different website, not

This suggests that Orbit Downloader might have had DDoS functionality since before version The orbitnet.exe file is not bundled with any older Orbit Downloader installers, but it might have been downloaded post-installation, like the DLL component.

This is a possibility, but it can’t be demonstrated with certainty, Peter Kosinar, a technical fellow at ESET who was involved in the investigation, said Thursday. It might also be distributed though other means, he said.

Adding to the confusion is that an older version of orbitnet.exe than the one found by ESET is distributed with Orbit Downloader The reason for this is unclear since Orbit Downloader also downloads and uses the DLL DDoS component. However, it indicates a clear relationship between orbitnet.exe and Orbit Downloader.

The fact that a popular program like Orbit Downloader is used as a DDoS tool creates problems not only for the websites that it’s used to attack, but also for the users whose computers are being abused.

According to Kosinar, there is no rate limit implemented for the packets sent by the DDoS component. This means that launching these attacks can easily consume the user’s Internet connection bandwidth, affecting his ability to access the Internet through other programs.

Users who install Orbit Downloader expect the program to streamline their downloads and increase their speed, but it turns out that the application has the opposite effect.

Orbit Downloader is developed by a group called Innoshock, but it’s not clear if this is a company or just a team of developers. Attempts to contact Innoshock for comment Thursday via two Gmail addresses listed on its website and the Orbit Downloader site, as well as via Twitter, remained unanswered.

The program’s users also seem to have noticed its DDoS behavior judging by comments left on and the Orbit Downloader support forum.

Orbit Downloder version is generating a very high amount of DDoS traffic, a user named raj_21er said on the support forum on June 12. “The DDoS flooding is so huge that it just hangs the gateway devices/network switches completely and breaks down the entire network operation.”

“I was using Orbit Downloader for the past one week on my desktop when I suddenly noticed that the internet access was pretty much dead in the last 2 days,” another user named Orbit_User_5500 said. Turning off the desktop system restored Internet access to the other network computers and devices, he said.

Since adding detection of this DDoS component, ESET received tens of thousands of detection reports per week from deployments of its antivirus products, Kosinar said.


FBI, Microsoft takedown program blunts most Citadel botnets

Friday, July 26th, 2013

Microsoft estimates that 88% of botnets running the Citadel financial malware were disrupted as a result of a takedown operation launched by the company in collaboration with the FBI and partners in technology and financial services. The operation was originally announced on June 5.

Since then, almost 40% of Citadel-infected computers that were part of the targeted botnets have been cleaned, Richard Domingues Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit, said Thursday in a blog post.

Microsoft did not immediately respond to an inquiry seeking information about how those computers were cleaned and the number of computers that remain infected with the malware.

However, Boscovich said in a different blog post on June 21 that Microsoft observed almost 1.3 million unique IP addresses connecting to a “sinkhole” system put in place by the company to replace the Citadel command-and-control servers used by attackers.

After analyzing unique IP addresses and user-agent information sent by botnet clients when connecting to the sinkhole servers, the company estimated that more than 1.9 million computers were part of the targeted botnets, Boscovich said at the time, noting that multiple computers can connect through a single IP address.

He also said that Microsoft was working with other researchers and anti-malware organizations like the Shadowserver Foundation in order to support victim notification and remediation.

The Shadowserver Foundation is an organization that works with ISPs, as well as hosting and Domain Name System (DNS) providers to identify and mitigate botnet threats.

According to statistics released Thursday by Boscovich, the countries with the highest number of IP addresses corresponding to Citadel infections between June 2 and July 21 were: Germany with 15% of the total, Thailand with 13%, Italy with 10%, India with 9% and Australia and Poland with 6% each. Five percent of Citadel-infected IP addresses were located in the U.S.

Boscovich praised the collaboration between public and private sector organizations to disrupt the Citadel botnet.

“By combining our collective expertise and taking coordinated steps to dismantle the botnets, we have been able to significantly diminish Citadel’s operation, rescue victims from the threat, and make it more costly for the cybercriminals to continue doing business,” he said Thursday in the blog post.

However, not everyone in the security research community was happy with how the takedown effort was implemented.

Shortly after the takedown, a security researcher who runs the botnet tracking services estimated that around 1,000 of approximately 4,000 Citadel-related domain names seized by Microsoft during the operation were already under the control of security researchers who were using them to monitor and gather information about the botnets.

Furthermore, he criticized Microsoft for sending configuration files to Citadel-infected computers that were connecting to its sinkhole servers, saying that this action implicitly modifies settings on those computers without their owners’ consent. “In most countries, this is violating local law,” he said in a blog post on June 7.

“Citadel blocked its victims’ ability to access many legitimate anti-virus and anti-malware sites in order to prevent them from being able to remove the malware from their computer,” Boscovich said on June 11 in an emailed statement. “In order for victims to clean their computers, the court order from the U.S. District Court for the Western District of North Carolina allowed Microsoft to unblock these sites when computers from around the world checked into the command and control structure for Citadel which is hosted in the U.S.”


Microsoft plugs security systems into its worldwide cloud

Thursday, May 30th, 2013

In a move designed to starve botnets where they live, Microsoft launched a program on Tuesday to plug its security intelligence systems into its global cloud, Azure.

The new offering, known as the Cyber Threat Intelligence Program, or C-TIP, will enable ISPs and CERTs to receive information on infected computers on their systems in near-real time, Microsoft said.

“All too often, computer owners, especially those who may not be using up-to-date, legitimate software and anti-malware protection, unwittingly fall victim to cybercriminals using malicious software to secretly enlist their computers into an army of infected computers known as a botnet, which can then be used by cybercriminals for a wide variety of attacks online,” Microsoft explained in a blog post.

Microsoft has been a leader in the industry in taking down botnets. Its victims include zombie armies enlisted with malware such as Conficker, Waledac, Rustock, Kelihos, Zeus, Nitol and Bamital.

Once a network is taken down, though, its minions must be sanitized. That’s what ISPs and CERTs do with the information they receive from Project MARS (Microsoft Active Response for Security), which is now plugged into Azure.

“While our clean-up efforts to date have been quite successful, this expedited form of information sharing should dramatically increase our ability to clean computers and help us keep up with the fast-paced and ever-changing cybercrime landscape,” Microsoft noted.

“It also gives us another advantage: cybercriminals rely on infected computers to exponentially leverage their ability to commit their crimes, but if we’re able to take those resources away from them, they’ll have to spend time and money trying to find new victims, thereby making these criminal enterprises less lucrative and appealing in the first place,” it added.

Following a botnet takedown, its zombies must be purged in a “remediation phase” of the operation. “The remediation phase is designed to clean up the systems that are infected after the command and control infrastructure is taken over,” said Jeff Williams, director of security strategy at Dell Secureworks

“To leave the infected systems would allow criminals to use the existing malware to create a new botnet,” he told CSO. “It’s a critical component of takedown work to remediate the infected systems.”

In addition to allowing Microsoft to feed remediation information to ISPs and CERTs quickly, Azure allows Microsoft to scale up its botnet busting efforts without a hiccup.

Currently, Microsoft manages hundreds of millions of events a day with its security intelligence systems. It foresees that number climbing into the ten to hundreds of billions in the future, noted T.J. Campana, director of the Microsoft Cybercrime Center.

Now the only data Microsoft is putting into its intelligence systems is MARS program data. “As we increase the number of takedowns we do per year, the size of the attacks and work with more partners around the world, we’ll be processing a much larger set of IP addresses and events per day,” Campana said.

Azure allows Microsoft to accommodate that expansion. “The ability to have that kind of elasticity dynamically through Azure has been a huge advantage to us,” he added.

For one security analyst, the move to Azure was long overdue. “It’s something Microsoft should be proactive about because it has millions of endpoints from which to collect this information,” Gartner security analyst Avivah Litan told CSO.

“This is long overdue,” she added. “They should have done something like this a couple of  years ago.”


Huge attack on WordPress sites could spawn never-before-seen super botnet

Friday, April 12th, 2013

Ongoing attack from >90,000 computers is creating a strain on Web hosts, too.

Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a “botnet” of infected computers that’s vastly stronger and more destructive than those available today. That’s because the servers have bandwidth connections that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.

“These larger machines can cause much more damage in DDoS [distributed denial-of-service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” Matthew Prince, CEO of content delivery network CloudFlare, wrote in a blog post describing the attacks.

It’s not the first time researchers have raised the specter of a super botnet with potentially dire consequences for the Internet. In October, they revealed that highly debilitating DDoS attacks on six of the biggest US banks used compromised Web servers to flood their targets with above-average amounts of Internet traffic. The botnet came to be known as the itsoknoproblembro or Brobot, names that came from a relatively new attack tool kit some of the infected machines ran. If typical botnets used in DDoS attacks were the network equivalent of tens of thousands of garden hoses trained on a target, the Brobot machines were akin to hundreds of fire hoses. Despite their smaller number, they were nonetheless able to inflict more damage because of their bigger capacity.

There’s already evidence that some of the commandeered WordPress websites are being abused in a similar fashion. A blog post published Friday by someone from Web host ResellerClub said the company’s systems running that platform are also under an “ongoing and highly distributed global attack.”

“To give you a little history, we recently heard from a major law enforcement agency about a massive attack on US financial institutions originating from our servers,” the blog post reported. “We did a detailed analysis of the attack pattern and found out that most of the attack was originating from [content management systems] (mostly WordPress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.”

The blog post continued:

“Today, this attack is happening at a global level and WordPress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IPs used are spoofed), it is making it difficult for us to block all malicious data.”

According to CloudFlare’s Prince, the distributed attacks are attempting to brute force the administrative portals of WordPress servers, employing the username “admin” and 1,000 or so common passwords. He said the attacks are coming from tens of thousands of unique IP addresses, an assessment that squares with the finding of more than 90,000 IP addresses hitting WordPress machines hosted by HostGator.

“At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website the company’s Sean Valant wrote. “These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including ‘special’ characters (^%$#@*).”

Operators of WordPress sites can take other measures too, including installing plugins such as this one and this one, which close some of the holes most frequently exploited in these types of attacks. Beyond that, operators can sign up for a free plan from CloudFlare that automatically blocks login attempts that bear the signature of the brute-force attack.

Already, HostGator has indicated that the burden of this mass attack is causing huge strains on websites, which come to a crawl or go down altogether. There are also indications that once a WordPress installation is infected it’s equipped with a backdoor so that attackers can maintain control even after the compromised administrative credentials have been changed. In some respects, the WordPress attacks resemble the mass compromise of machines running the Apache Web server, which Ars chronicled 10 days ago.

With so much at stake, readers who run WordPress sites are strongly advised to lock down their servers immediately. The effort may not only protect the security of the individual site, it could help safeguard the Internet as a whole.


Guerilla researcher created epic botnet to scan billions of IP addresses

Friday, March 22nd, 2013

In one of the more audacious and ethically questionable research projects in recent memory, an anonymous hacker built a botnet of more than 420,000 Internet-connected devices and used it to perform one of the most comprehensive surveys ever to measure the insecurity of the global network.

In all, the nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open. A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren’t intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses.

Continually scanning almost 4 billion addresses for nine months is a big job. In true guerilla research fashion, the unknown hacker developed a small scanning program that scoured the Internet for devices that could be logged into using no account credentials at all or the usernames and passwords of either “root” or “admin.” When the program encountered unsecured devices, it installed itself on them and used them to conduct additional scans. The viral growth of the botnet allowed it to infect about 100,000 devices within a day of the program’s release. The critical mass allowed the hacker to scan the Internet quickly and cheaply. With about 4,000 clients, it could scan one port on all 3.6 billion addresses in a single day. Because the project ran 1,000 unique probes on 742 separate ports, and possibly because the binary was uninstalled each time an infected device was restarted, the hacker commandeered a total of 420,000 devices to perform the survey.

More than nine terabytes of data

“A lot of devices and services we have seen during our research should never be connected to the public Internet at all,” the guerilla researcher concluded in a 5,000-word report titled Internet Census 2012: Port scanning /0 using insecure embedded devices. “As a rule of thumb, if you believe that ‘nobody would connect to the Internet, really nobody,’ there are at least 1,000 people who did. Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a million Webcams, or devices that have root as a root password.”

In all, the botnet, which the researcher named “Carna” after the Roman goddess of physical health, collected more than 9TB worth of data. It performed 52 billion ICMP ping probes, 180 billion service probe records, and 2.8 billion SYN scan records for 660 million IPs with 71 billion ports tested. The researcher said he took precautions to prevent his program from disrupting the normal operation of the infected devices.

“Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong,” he wrote. “Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds.”

He continued: “We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users.”

The researcher found that his scanning program wasn’t the only unauthorized code hitching a free ride on some of the commandeered devices. Competing botnet programs such as one known as Aidra infected as many as 30,000 embedded devices including the Linux-powered Dreambox TV receiver and other devices that run on a MIPS hardware. The scanning software detected capabilities in Aidra that forced compromised devices to carry out a variety of denial-of-service attacks on targets selected by the malicious botnet operators.

“Apparently its author only built it for a few platforms, so a majority of our target devices could not be infected with Aidra,” the researcher reported. “Since Aidra was clearly made for malicious actions and we could actually see their Internet scale deployment at that moment, we decided to let our bot stop telnet after deployment and applied the same iptable rules Aidra does, if iptables was available. This step was required to block Aidra from exploiting these machines for malicious activity.”

The changes didn’t survive reboots, however, allowing Aidra to resume control of the embedded devices once they were restarted. The scanning program was programmed to install itself on uninfected devices, so it’s possible it may have repeatedly disrupted the malicious bot software only to be foiled each time a device was rebooted.

Breaking the law

The research project almost certainly violated federal statutes prohibiting the unauthorized access of protected computers and possibly other hacking offenses. And since the unknown researcher is willing to take ethical and legal liberties in his work, it’s impossible to verify that he carried out the project in the manner described in the paper. Still, the findings closely resemble those of HD Moore, the CSO of security firm Rapid7 and chief architect of the Metasploit software framework used by hackers and penetration testers. Over a 12-month period last year, he used ethical and legal means to probe up to 18 ports of every IPv4 Internet address three or four times each day. The conclusion: there are about 1.3 billion addresses that respond to various scans, with about 500 million to 600 million of them coming from embedded devices that were never intended to be reachable on the Internet.

Over three months in mid-2012, the researcher sent an astounding 4 trillion service probes, 175 billion of which were sent back and saved. In mid-December the researcher probed the top 30 ports, providing about 5 billion additional saved service probes. A detailed list of the probes sent to specific ports is here.

“This looks pretty accurate,” Moore said of the guerilla report, which included a wealth of raw data to document the findings. “Embedded devices really are one of the most common devices on the Internet, and the security of these devices is terrible. I ran into a number of active botnets using those devices to propagate.”

The only way to ultimately confirm the veracity of the findings is to go through the data in precise detail, which is something fellow researchers have yet to do publicly.

Moore said there were advantages and disadvantages to each of the studies. While use of an illicit botnet may have provided greater visibility into the overall Internet population, it amounted to a much briefer snapshot in time. Moore’s approach, by contrast, was more limited since it probed just 18 ports. But because it surveyed devices every day for a year, its results are less likely to reflect anomalies resulting from seasonal differences in Internet usage.

Putting aside the ethical and legal concerns of taking unauthorized control of hundreds of millions of devices, the researcher builds a compelling case for taking on the project.

“We would also like to mention that building and running a gigantic botnet and then watching it as it scans nothing less than the whole Internet at rates of billions of IPs per hour over and over again is really as much fun as it sounds like,” he wrote. What’s more, with the advent of IPv6, the opportunity may never come again, since the next-generation routing system offers orders of magnitude more addresses that are impossible to be scanned en masse.

The researcher concluded by explaining the ultimate reason he took on the project.

“I did not want to ask myself for the rest of my life how much fun it could have been or if the infrastructure I imagined in my head would have worked as expected,” he explained. “I saw the chance to really work on an Internet scale, command hundred thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the Internet in a way very few people ever will. I decided it would be worth my time.”


Massive search fraud botnet seized by Microsoft and Symantec

Thursday, February 7th, 2013

Hundreds of thousands of Bamital bots made ring of 18 operators over $1M a year.

Users with computers infected by the Bamital botnet malware will see this page every time they click a search result.

A botnet that redirected clicks from millions of PCs has been, at least for the moment, shut down by Microsoft and Symantec. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn’t intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company’s headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. “These servers were command and control servers, and were also absorbing the malicious traffic the botnet was creating,” said Vikram Thakur,  Principal Security Response Manager at Symantec in an interview with Ars.

Richard Boscovich, Microsoft’s General Counsel, said that while the malware had been identified as far back as 2011, nailing down the exact servers they needed to go after took some time. “The malware was morphing back and forth, so it made difficullt to identify the targets,” he said. But when the botnet stabilized a few months ago, “it offered a window of opportunity to go after them. The legal portion took about two months.”

Based on forensic evidence collected from infected computers by Symantec and Microsoft, there have been several generations of Bamital, with activity dating back at least three years. Early variants of the malware attacked users’ Web browsers with HTML injection. “They injected an iframe into every page,” Thakur said, “so whatever page loaded also loaded content from the bad guys.”

In later variants of Bamital, the malware simply redirected any click on a search page to the botnet’s own servers, which in turn used HTML redirects to feed the victims’ traffic into an advertising network. That network acted as a clearinghouse for other advertiser networks, so a click could go through several sets of redirects before it actually landed on a website—and not the one the user expected.

Because of the nature of Bamital, Microsoft is now in a position that’s different from some of its previous botnet takedowns—it has a direct line to victims of the malware. “One of things we’re doing a little differently in this case is we’re doing direct victim notification,” Boscovich said. Users with systems infected by Bamital will now be redirected to a Microsoft webpage offering tools to help remove the Bamital malware—as wellas any other malware that’s out there. “There are AV signatures out there for this malware already,” Boscovich said.

“They may have an OS that’s unpatched, or antivirus software that’s outdated. We’re taking control of the command and control network so that every time someone types in a search query, they’re going to get redirected to a page directly by Microsoft.”

Thakur said that the Bamital malware was initially delivered by a combination of methods, including in packages over peer-to-peer filesharing networks disguised as other content. But the majority of systems infected were the victim of “driveby downloads” from websites configured with malicious software intended to exploit browser security flaws. “We have evidence of [the botnet operators] polluting search engine results for certain search terms with links to servers with exploits,” he said.

As new variants of the botnet were developed, the operators made efforts to “upgrade” systems they had already infected. “But along the way they seemed to have left behind a number of people,” Thakur said. The older servers that had been used with previous versions of the malware appear to have been abandoned as well.

In 2011, Microsoft and Symantec were able to monitor the traffic going to one of the botnet’s servers. “We got back data that showed that 3 million clicks were being hijacked by that server on a daily basis,” Thakur said. Based on a conservative estimate of a payment for one-tenth of a percent of the advertising value for each click, the companies determined the fraud ring was pulling in over $1 million a year from advertising networks.  “And it could have been 2 or 3 times that much,” he said.

The advertising networks connected to Bamital themselves may be completely fraudulent.  They acted as clearinghouses for the traffic, and resold it to other, legitimate advertising networks and affiliate programs.  “Bamital went through several ad networks before it even displayed content,” Thakur said. “It was super convoluted.”

Microsoft and Symantec are hoping the data obtained through the seizure of the server in New Jersey will help them get a better understanding of the underground ecosystem of advertising networks that drives botnets like Bamital.  But it’s too early to tell if it will help catch the actual perpetrators. “We still have to go through the evidence,” Boscovich said, but he noted that Microsoft had had some success in the past in identifying botnet operators, as it did with Kelihos.


Apache plugin turns legit sites into bank-attack platforms

Wednesday, December 19th, 2012

Module found operating in the wild causes sites to push malware on visitors.

A malicious Apache module found operating in the wild turns sites running the Internet’s most popular Web server into platforms that surreptitiously install malware on visitors’ computers.

The plugin, which was discovered by researchers from antivirus provider Eset, is an x64 Linux binary that streamlines the process of injecting malicious content into compromised websites. It was found running on an undisclosed website that exposed end users to a variety of exploits that installed the ZeuS banking trojan, also known as Win32/Zbot. It also pushed malware from Sweet Orange, a newer exploit kit hosted by servers in Lithuania that competes with ZeuS. When Eset discovered the plugin last month, it was connecting to command and control servers in Germany and was being used to target banking customers in Russia and elsewhere in Europe.

“This complicated case spreads across three different countries, targeting users from a fourth one, making it very hard for law enforcement agencies to investigate and mitigate,” Pierre-Marc Bureau, Eset’s security intelligence program manager, wrote in a blog post. “It is not clear at this point in time if the same group of people are behind the whole operation, or if multiple gangs collaborated, perhaps with one to drive traffic to the exploit pack and sell the infected computers to another gang operating a botnet based on Win32/Zbot.”

The Apache plugin, which Eset software flags as Linux/Chapro.A, contains several features designed to make infections stealthy. To prevent being widely detected, it doesn’t serve malicious content when a visitor’s browser user agent indicates it’s coming from Google or another automated search-engine agent. It also holds its fire against IP addresses that connect to the Web server over SSH-protected channels, preventing site administrators from being exposed. It also uses browser cookies and IP logging to prevent visitors from being exposed to exploits more than once. By hiding the attacks from search engines and admins—and making it hard to determine how end-user machines are infected—the features make it harder to identify the site as compromised.

The compromised site found by Bureau was injecting invisible iframe tags into otherwise legitimate webpages. The iframes he observed attempted to exploit at least four previously patched security bugs in Microsoft Internet Explorer, Adobe Reader, and Oracle’s Java software framework. The plugin has the capability to inject malicious JavaScript into Web content, giving it another powerful avenue for attack.

Bureau didn’t say how the site running the plugin was hacked. Many legitimate websites used in malware attacks are commandeered after administrator credentials are compromised. He said the malicious Apache plugin is separate from a Linux rootkit discovered last month that also injects malicious content into otherwise legitimate webpages.

Engineers who develop and maintain Apache offer programming interfaces that allow anyone to write modules that give the Web server additional capabilities. The module discovered by Eset is almost certainly written by a third party that has no affiliation with the Apache Foundation.


Experts take down Grum spam botnet, world’s third largest

Wednesday, July 18th, 2012

Botnet was responsible for 18 billion spam messages a day — about 18 percent of the world’s spam — experts tell The New York Times.

Computer-security experts took down the world’s third-largest botnet, which they say was responsible for 18 percent of the world’s spam.

Command-and-control servers in Panama and the Netherlands pumping out up to 18 billion spam messages a day for the Grum botnet were taken down Tuesday, but the botnet’s architects set up new servers in Russia later in the day, according to a New York Times report. California-based security firm FireEye and U.K.-based spam-tracking service SpamHaus traced the spam back to servers in Russia and worked with local ISPs to shut down the servers, which ran networks of infected machines called botnets.

The tech community has stepped up its efforts of late to take these botnets offline. Microsoft in particular has been quite active, using court orders to seize command-and-control servers and cripple the operations of the Waledac, Rustock, and Kelihos botnets.

The takedown of the Rustock botnet cut the volume of spam across the world by one-third, Symantec reported in March 2011. At its peak, the notorious botnet was responsible for sending out 44 billion spam messages per day, or more than 47 percent of the world’s total output, making it the leading purveyor of spam.

Security experts are confident they have stopped the Grum botnet in its tracks.

“It’s not about creating a new server. They’d have to start an entirely new campaign and infect hundreds of thousands of new machines to get something like Grum started again,” Atif Mushtaq, a computer security specialist at FireEye, told the Times. “They’d have to build from scratch. Because of how the malware was written for Grum, when the master server is dead, the infected machines can no longer send spam or communicate with a new server.”

Source:  CNET

Android smartphones ‘used for botnet,’ researchers say

Thursday, July 5th, 2012

Smartphones running Google’s Android software have been hijacked by an illegal botnet, according to a Microsoft researcher.

Botnets are large illegal networks of infected machines – usually desktop or laptop computers – typically used to send out masses of spam email.

Researcher Terry Zink said there was evidence of spam being sent from Yahoo mail servers by Android devices.

Microsoft’s own platform, Windows Phone, is a key competitor to Android.

The Google platform has suffered from several high-profile issues with malware affected apps in recent months.

The official store – Google Play – has had issues with fake apps, often pirated free versions of popular paid products like Angry Birds Space or Fruit Ninja.

This latest discovery has been seen as a change of direction for attackers.

“We’ve all heard the rumours,” Mr Zink wrote in a blog post.

“But this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices.

“These devices login to the user’s Yahoo Mail account and send spam.”

Bad guys

He said analysis of the IP addresses used to send the email revealed the spam had originated from Android devices being used in Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela.

As is typical, the spam email looks to tempt people into buying products like prescription drugs.

Security expert Graham Cluley, from anti-virus firm Sophos, said it was highly likely the attacks originated from Android devices, given all available information, but this could not be proven.

This was the first time smartphones had been exploited in this way, he said.

“We’ve seen it done experimentally to prove that it’s possible by researchers, but not done by the bad guys,” he told the BBC.

“We are seeing a lot of activity from cybercriminals on the Android platform.

“The best thing you can do right now is upgrade your operating system, if that’s possible.

“And before you install apps onto your device, look at the reviews, because there are many bogus apps out there.”

Google told the BBC it did not respond to queries about specific apps but was working to improve security on the Android platform.

“We are committed to providing a secure experience for consumers in Google Play, and in fact our data shows between the first and second halves of 2011, we saw a 40% decrease in the number of potentially malicious downloads from Google Play,” a spokesman said.

“Last year we also introduced a new service into Google Play that provides automated scanning for potentially malicious software without disrupting the user experience or requiring developers to go through an application approval process.”

Source:  BBC

Malware threat level hits four-year high

Wednesday, May 23rd, 2012

Surfing the Internet is becoming more dangerous than ever, according to a report released Wednesday by cyber security software maker McAfee.

In first three months of the year, malware circulating in cyberspace reached a four-year high and is on a pace to reach 100 million samples by year’s end, McAfee says in its quarterly threats report.

“In the first quarter of 2012, we have already detected 8 million new malware samples, showing that malware authors are continuing their unrelenting development of new malware,” Vincent Weafer, senior vice president of McAfee Labs, said in a statement.

“The same skills and techniques that were sharpened on the PC platform are increasingly being extended to other platforms, such as mobile and Mac,” he added.

Contributing to the proliferation of malware is the arrival of new kits for creating malicious software, Adam Wosotowsky, a messaging data architect at McAfee Labs, said in an interview with PCWorld.

The most common kits for creating malware have been based on the Zeus and SpyEye packages, but crackdowns on botnets built on those models have prodded cyber criminals to seek alternatives.

“As the authors of Zeus and SpyEye have started to be located by authorities and are starting to have issues putting out their stuff, we’re starting to see more new botnet-building SDKs [Software Development Kits] being released into the black market,” he said.

That has increased the number of campaigns, the number of strains and the number of mutations, which increases the number of samples McAfee collects, he added.

Mobile malware continues to grow, McAfee reported, with more than 7,000 Android threats being collected and identified during the quarter. That’s more than a 1,200 percent increase over the previous quarter.

Much of the Android infections are being spread by software distributed by third-party retailers, Wosotowsky observed. “The official Google apps store [Google Play] doesn’t have very many malicious applications on it,” he said.

Most mobile malware is designed to surreptitiously send text messages to premium SMS services. Cyber bandits get a cut of the charges for each message and disappear before a victim can protest to his or her wireless provider.

McAfee also reported that spam levels continue to decline. Global spam during the quarter dropped to slightly more than one trillion messages. “A lot of that is because spam is a lot more accurate nowadays than it used to be,” Wosotowsky explained.

When spam volumes were at their all-time highs, he continued, messages were being sent to lots of random addresses. “Now you can purchase these lists that contain legitimate e-mail addresses,” he said. “For that reason, spam has become more accurate, so you don’t have as much chaff in the spam world.”


Apple to release Flashback removal software, working to take down botnet

Wednesday, April 11th, 2012

Apple plans to release software that will detect and remove Flashback malware infections on the Mac, the company announced Tuesday. In a knowledge base link published late in the day, Apple explained that it’s aware of the infection—which takes advantage of a previously unpatched Java vulnerability—saying that the software was coming, but no specific release date was given.

In addition to the Flashback detection software, Apple said that it’s “working with ISPs worldwide” to disable the botnet’s command and control (C&C) servers. Kaspersky researcher Kurt Baumgartner told Forbes earlier on Tuesday that “Apple is taking appropriate action by working with the larger Internet security community to shut down the Flashfake [also known as Flashback] C2 domains,” and Apple’s latest efforts seem to coincide with Baumgartner’s statement.

“Apple is developing software that will detect and remove the Flashback malware,” Apple wrote. “In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.”

We have been covering the Mac Flashback trojan since 2011, but the malware recently picked up steam. Last week, Russian security firm Dr. Web reported that it had infected more than half a million Macs worldwide. (The aforelinked Forbes report claimed Apple tried to take down Dr. Web’s sinkhole server for Flashback, but it seems most likely that this was an accidental inclusion in Apple’s attempts to take down the botnet’s C&Cs.)

There are already a couple ways to detect and remove a Flashback infection, but they involve some Terminal kung-fu that less experienced users might not feel comfortable with. Apple’s solution will undoubtedly target mainstream users who have heard about Flashback and want to ensure their Macs remain malware-free.


More than 600,000 Macs infected with Flashback botnet

Thursday, April 5th, 2012

Russian antivirus company says half the computers infected with malware designed to steal personal information are in the U.S. — with 274 located in Cupertino

More than half a million Macs are infected with the Flashback Trojan, a malware package designed to steal personal information, according to a Russian antivirus company.

The company — Dr. Web — originally reported today that 550,000 Macintosh computers were infected by the growing Mac botnet. But later in the day, Dr. Web malware analyst Sorokin Ivan announced on Twitter that the number of Macs infected with Flashback had increased to 600,000, with 274 of those based in Cupertino, Calif.


Dr. Web estimates that half a million Macs were infected by the Flashback trojan.… We can’t confirm or deny the figure.

@mikko, at this moment botnet Flashback over 600k, include 274 bots from Cupertino and special for you Mikko – 285 from Finland

More than half of the Macs infected are in the United States (57 percent), while another 20 percent are in Canada, Dr. Web said.

The malware was initially found in September 2011 masquerading as a fake Adobe Flash Player plug-in installer, but in the past few months it has evolved to exploiting Java vulnerabilities to target Mac systems. A new variant that surfaced over the weekend appears to be taking advantage of Java vulnerability for which Apple released a patch yesterday.

As CNET blogger Topher Kessler explains, simply visiting a malicious Web site containing Flashback on an OS X system with Java installed will result in one of two installation routes. The malware will request an administrator password, and if one is supplied, it will install its package of code into the Applications folder. If a password is not offered, the malware will install to the user accounts where it can run in a more global manner.

Once installed, the Flashback will inject code into Web browsers and other applications like Skype to harvest passwords and other information from those program’s users.

Security company F-Secure has published instructions on how to determine whether a Mac is infected with Flashback.

Source:  CNET

Security firms disable the second Kelihos botnet

Thursday, March 29th, 2012

A group of malware experts from security companies Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, have worked together to disable the second version of the Kelihos botnet, which is significantly bigger than the one shut down by Microsoft and its partners in September 2011.

The Kelihos botnet, also known as Hlux, is considered the successor of the Waledac and Storm botnets. Like its predecessors, it has a peer-to-peer-like architecture and was primarily used for spam and launching DDoS (distributed denial-of-service) attacks.

In September 2011, a coalition of companies that included Microsoft, Kaspersky Lab, SurfNET and Kyrus Tech, managed to take control of the original Kelihos botnet and disable its command-and-control infrastructure.

However, back in January, Kaspersky Lab researchers discovered a new version of the botnet, which had an improved communication protocol and the ability to mine and steal Bitcoins, a type of virtual currency.

Last week, after analyzing the new botnet for the past several months, the new group of experts decided to launch a new takedown operation, said Stefan Ortloff of Kaspersky Lab in a blog post on Wednesday.

Disabling botnets with a decentralized architecture like Kelihos is more complicated than simply taking over a few command-and-control servers, because the botnet clients are also able to exchange instructions among themselves.

In order to prevent the botnet’s authors from updating the botnet through the peer-to-peer infrastructure, the security companies had to set up rogue botnet clients around the world and use special techniques to trick all other infected machines to only connect to servers operated by Kaspersky Lab. This is known as sinkholing, said CrowdStrike researcher Tillmann Werner during a press conference Wednesday.

Once the majority of the botnet clients connected to the sinkhole servers, the researchers realized that the second Kelihos botnet was significantly larger than the one taken down in September 2011. It has almost 110,000 infected hosts compared to the first botnet’s 40,000, said Kaspersky Lab’s Marco Preuss during the same press conference.

Twenty-five percent of the new Kelihos bots were located in Poland and 10 percent were in the U.S. The high concentration of bots in Poland suggests that the cybercriminal gang behind Kelihos paid other botnet operators to have their malware distributed on computers from a country with cheaper pay-pay-install prices, Werner said.

The vast majority of Kelihos-infected computers — over 90,000 — run Windows XP. Around 10,000 run Windows 7 and 5,000 run Windows 7 with Service Pack 1.

Microsoft was not involved in the new takedown operation, but was informed about it, Werner said. During the September 2011 operation, the company’s role was to disable the domain names the Kelihos gang could have used to take back control of the botnet.

However, this type of action was no longer necessary, because this fallback communication channel is only used by the Kelihos bots if the primary peer-to-peer-based channel is disrupted, which doesn’t happen with sinkholing, Werner said.

Kaspersky will notify Internet service providers about the Internet Protocol addresses on their networks that display Kelihos activity, so that they can contact the subscribers who own the infected machines. The sinkhole will be kept operational for as long as it is necessary, Preuß said.

Various signs suggest that the Kelihos gang gave up on the botnet soon after it was sinkholed. However, given that this was their fifth botnet — including the Storm and Waledac variants — they’re unlikely to give up and will most likely create a new one, Werner said.


Microsoft leads two raids targeting Zeus botnet servers

Tuesday, March 27th, 2012

When you’re fighting against the cybercriminals behind the world’s biggest botnets, sometimes you have to get creative with your battle plans. That’s what Microsoft figured, anyways, sweeping through the offices of two hosting providers with U.S. Marshals to take down computer systems that were helping operators control the Zeus botnet from somewhere in eastern Europe.

Zeus remains one of the largest botnets in existence — and one of the most lucrative, having stolen more than $100 million from its victims over the past five years. As many as 13 million computers have been infected with some variant of Zeus, and they’re all Windows machines, of course. That’s not something Microsoft wants to allow to continue, and they weren’t going to sit idly by any longer. As they did with three other botnets — Kelihos, Rustock, and Waledac — Microsoft formed a team and filed a civil suit against several John Does in order to secure permission to seize domain names and computer equipment that were connected to Zeus.

Microsoft’s goal wasn’t to wipe out Zeus altogether. Not this time around, anyway. Rather, Microsoft wanted to let those operating the botnet know that they’re being watched and that operations are going to be disrupted whenever possible. The domains Microsoft seized — more than 800 in total — will now be used to monitor activity from infected computers.

It’s amazing that computers can still be infected by Zeus in 2010. Microsoft added it to the Malicious Software Removal Tool way back in 2010, though constant fiddling with the original code makes it a bit more difficult to detect and uproot the many variants now floating around the Web. If everyone with a Windows computer was diligent about updating their OS and plug-ins like Java — and using a good quality anti-malware app with heuristic detection abilities — we probably could’ve relegated Zeus to the botnet scrapheap already.

The reality, however, is that there are more than 350 other Zeus servers scattered around the globe and still online. Still, you’ve got to start somewhere, and at least 357 is a few less than there were last week.


Old flaw turns unpatched JBoss servers into botnet

Thursday, October 27th, 2011

A new worm exploiting a JBoss vulnerability that was patched in April 2010 is targeting unsecured servers and adding them to a botnet, security researchers are reporting. “The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there,” Johannes Ullrich of the SANS Technology Institute writes. The older configuration of JBoss only authenticated GET and POST requests, but did not protect other HTTP request types or interfaces, so attackers could “use other methods to execute arbitrary code without authentication.”

“The worm affects users of JBoss Application Server who have not correctly secured their JMX consoles as well as users of older, unpatched versions of JBoss enterprise products,” Red Hat security response director Mark Cox writes in a blog, which points to both the April 2010 patch and instructions for securing the JMX console. “This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.”

In addition to adding servers to a botnet, the worm can install a remote access tool giving the attacker control over the infected server, Kaspersky Lab reports. One user who set up a honeypot on a deliberately insecure JBoss server reports having explored the contents of the malicious payload and discovered that it “contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET.”

The new worm taking advantage of a long-fixed flaw points to the need for users to update their systems, both servers and PCs. A recent report by Microsoft found that 3.2 percent of malware was from exploits for which security updates had been available for at least a year, and another 2.4 percent were related to exploits for which an update was available for less than a year.


Microsoft settles suit against alleged botnet hoster

Thursday, October 27th, 2011

Microsoft said today that a Czech Republic-based provider of free domains has agreed to pull the plug on botnet activities using his subdomains, as part of a settlement of a lawsuit the software giant filed in September to shut down the Kelihos botnet.

The suit, filed in federal court in Virginia, named Dominique Alexander Piatti and his domain company, Dotfree Group SRO, as defendants, alleging that they were involved in hosting the Kelihos botnet. Infected computers in that operation, also known as “Waledac 2.0” after a previous botnet that Microsoft shut down last year, were used to send unregulated pharmaceutical and other spam, to harvest e-mails and passwords, to conduct fraudulent stock scams and, in some cases, to promote sites dealing with sexual exploitation of children. Subdomains also were allegedly used to spread the MacDefender scareware.

“Since the Kelihos takedown, we have been in talks with Mr. Piatti and dotFREE Group s.r.o. and, after reviewing the evidence voluntarily provided by Mr. Piatti, we believe that neither he nor his business were involved in controlling the subdomains used to host the Kelihos botnet. Rather, the controllers of the Kelihos botnet leveraged the subdomain services offered by Mr. Piatti’s domain,” Richard Domingues Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, wrote in a blog post.

As part of the settlement, Piatti has agreed to delete or transfer to Microsoft all the subdomains that were used to operate the botnet or for other illegitimate purposes, according to Boscovich. Piatti and his company also have agreed to work with Microsoft to prevent abuse of free subdomains and to establish a secure free top level domain going forward, he said.

“By gaining control of the subdomains, we are afforded an inside look at the Kelihos botnet, giving us the opportunity to learn which unique IP addresses are infected with the botnet’s malware,” Boscovich wrote.

Meanwhile, the lawsuit against the 22 other unnamed defendants is pending, Microsoft said.

The Kelihos botnet comprised about 41,000 infected computers worldwide and was capable of sending 3.8 billion spam e-mails per day, according to Microsoft.

Microsoft has been aggressive in moving to put botnets out of business. Kelihos is the third botnet–following Waledac, and Rustock earlier this year–that Microsoft has taken down using legal and technical measures.

Source:  CNET

Mac trojan poses as PDF to open botnet backdoor

Saturday, September 24th, 2011

Malware continues to be a minimal threat to most Mac users, but that doesn’t mean attackers aren’t constantly trying to come up with new ways to steal information or turn users’ machines into botnet drones. The latter appears to be the case with a new Mac trojan posing as a PDF file, discovered by security researchers at F-Secure.

The malware in question has been identified as Trojan-Dropper:OSX/Revir.A, which installs a backdoor, Backdoor:OSX/Imuler.A, onto the user’s Mac. Currently, however, the backdoor doesn’t communicate with anything. The command-and-control center for this particular malware is apparently a bare Apache installation, which has been sitting at its current domain since May of this year. Because of this, users who might fall victim to this attack aren’t likely to see many ill effects for the time being, but that could change if the files end up spreading to a wider audience.

As mentioned earlier, this trojan spreads by masking itself as a PDF, which displays a Chinese-language document on the screen in an attempt to hide its background activity. This isn’t a new strategy on the surface, as F-Secure notes, but some deeper digging indicates that it might be stealthier than its Windows counterparts.

“This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ‘.pdf.exe’ extension and an accompanying PDF icon,” reads the post on F-Secure’s blog. “The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.”

As for how this trojan is spreading, that’s a bit of a mystery. The researchers noted that they’re not yet sure of the methods it uses to propagate, but they believe the most likely explanation is that it’s circulating via e-mail attachment.


Microsoft: No botnet is indestructible

Thursday, July 7th, 2011

‘Nothing is impossible,’ says Microsoft attorney, countering claims that the TDL-4 botnet is untouchable

No botnet is invulnerable, a Microsoft lawyer involved with the Rustock takedown said, countering claims that another botnet was “practically indestructible.”

“If someone says that a botnet is indestructible, they are not being very creative legally or technically,” Richard Boscovich, a senior attorney with Microsoft’s Digital Crime Unit said Tuesday. “Nothing is impossible. That’s a pretty high standard.”

Instrumental in the effort that led to the seizure of Rustock’s command-and-control servers in March, Boscovich said Microsoft’s experience in takedowns of Waledac in early 2010 and of Coreflood and Rustock this year show that any botnet can be exterminated.

“To say that it can’t be done underestimates the ability of the good guys,” Boscovich said. “People seem to be saying that the bad guys are smarter, better. But the answer to that is ‘no.'”

Last week, Moscow-based Kaspersky Labs called the TDL-4 botnet “the most sophisticated threat today,” and argued that it was “practically indestructible” because of its advanced encryption and use of a public peer-to-peer (P2P) network as a fallback communications channel for the instructions issued to infected PCs.

Takedowns like those of Waledac, Rustock and Coreflood have relied on seizing the primary command-and-control (C&C) servers, then somehow blocking the botnet’s compromised computers from accessing alternate C&C domains for new instructions.

By doing both, takedowns decapitate the botnet, let researchers or authorities hijack the botnet, and prevent hackers from updating their malware or giving the bots new orders. That also gives users time to use antivirus software to clean their systems of the infections.

Kaspersky senior malware researcher Roel Schouwenberg said that TDL-4’s use of P2P made the botnet an extremely tough nut.

“Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network,” Schouwenberg said last week. “The fact that TDL has two separate channels for communications will make any takedown very, very tough.”

Boscovich disagreed, noting that the February 2010 takedown of Waledac successfully suppressed that botnet’s P2P command channel.

“[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet,” Boscovich said.

“Each takedown is different, each one is complicated in its own way,” said Boscovich. “Each one is going to be different, but that doesn’t mean that there cannot be a way to do this with any botnet.”

Alex Lanstein, a senior engineer with FireEye who worked with Microsoft on the Rustock takedown, said that the relationships Microsoft has built with others in the security field, with Internet service providers, and with government legal agencies like the U.S. Department of Justice and law enforcement were the most important factors in its ability to take down botnets, any botnets.

“It’s the trust relationships Microsoft has created” that have led to successful takedowns, said Lanstein. “And I think [the technique] speaks to any malware infrastructure where some kind of data feed exists. It really, really works.”

Those who disagree with Boscovich and Lanstein include not only Kaspersky’s Schouwenberg, but also Joe Stewart, director of malware research at Dell SecureWorks and an internationally known botnet expert.

“I wouldn’t say it’s perfectly indestructible, but it is pretty much indestructible,” Stewart said in an interview last week about TDL-4. “It does a very good job of maintaining itself.”

But SecureWorks also acknowledged Microsoft’s takedown chops, saying that its own statistics show that Rustock attacks have dropped tenfold since March.

“Since mid-March 2011, Dell SecureWorks’ CTU [Counter Threat Unit] research team has seen a significant decline in the number of attempted Rustock attacks, and we do attribute it to the comprehensive efforts of Microsoft,” a SecureWorks spokeswoman said Tuesday.

“With the Rustock takedown, Microsoft has built the framework for others to do the same,” Lanstein said. “This is definitely not the last botnet we’re going to go after.”

He declined to name the next likely target, saying that doing so would tip Microsoft and FireEye’s hand.


Security researchers discover ‘indestructible’ botnet

Friday, July 1st, 2011

More than four million PCs have been enrolled in a botnet security experts say is almost “indestructible”.

The botnet, known as TDL, targets Windows PCs and is difficult to detect and shut down.

Code that hijacks a PC hides in places security software rarely looks and the botnet is controlled using custom-made encryption.

Security researchers said recent botnet shutdowns had made TDL’s controllers harden it against investigation.

The 4.5 million PCs have become victims over the last three months following the appearance of the fourth version of the TDL virus.

The changes introduced in TDL-4 made it the “most sophisticated threat today,” wrote Kaspersky Labs security researchers Sergey Golovanov and Igor Soumenkov in a detailed analysis of the virus.

“The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and anti-virus companies,” wrote the researchers.

Recent successes by security companies and law enforcement against botnets have led to spam levels dropping to about 75% of all e-mail sent, shows analysis by Symantec.

A botnet is a network of computers that have been infected by a virus that allows a hi-tech criminal to use them remotely. Often botnet controllers steal data from victims’ PCs or use the machines to send out spam or carry out other attacks.

The TDL virus spreads via booby-trapped websites and infects a machine by exploiting unpatched vulnerabilities. The virus has been found lurking on sites offering porn and pirated movies as well as those that let people store video and image files.

The virus installs itself in a system file known as the master boot record. This holds the list of instructions to get a computer started and is a good place to hide because it is rarely scanned by standard anti-virus programs.

The biggest proportion of victims, 28%, are in the US but significant numbers are in India (7%) and the UK (5%). Smaller numbers, 3%, are found in France, Germany and Canada.

However, wrote the researchers, it is the way the botnet operates that makes it so hard to tackle and shut down.

The makers of TDL-4 have cooked up their own encryption system to protect communication between those controlling the botnet. This makes it hard to do any significant analysis of traffic between hijacked PCs and the botnet’s controllers.

In addition, TDL-4 sends out instructions to infected machines using a public peer-to-peer network rather than centralised command systems. This foils analysis because it removes the need for command servers that regularly communicate with infected machines.

“For all intents and purposes, [TDL-4] is very tough to remove,” said Joe Stewart, director of malware research at Dell SecureWorks to Computerworld. “It’s definitely one of the most sophisticated botnets out there.”

However, the sophistication of TDL-4 might aid in its downfall, said the Kaspersky researchers who found bugs in the complex code. This let them pry on databases logging how many infections TDL-4 had racked up and was aiding their investigation into its creators.

Source:  BBC

Taking Down Botnets: Microsoft and the Rustock Botnet

Friday, March 18th, 2011

Just over a year ago, we announced that the Microsoft Digital Crimes Unit (DCU), in cooperation with industry and academic experts, had successfully taken down the botnet Waledac in an operation known as “Operation b49”. Today, I’m happy to announce that based on the knowledge gained in that effort, we have successfully taken down a larger, more notorious and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day, including fake Microsoft lottery scams and offers for fake – and potentially dangerous – prescription drugs.

This operation, known as Operation b107, is the second high-profile takedown in Microsoft’s joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security) – to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers. Like the Waledac takedown, this action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet. As you may have read, the Rustock botnet was officially taken offline yesterday, after a months-long investigation by DCU and our partners, successful pleading before the U.S. District Court for the Western District of Washington and a coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service.

As in the legal and technical measure that enabled us to take down the Waledac botnet, Microsoft filed suit against the anonymous operators of the Rustock botnet, based in part on the abuse of Microsoft trademarks in the bot’s spam. However, Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet. To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis. Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus and, with help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it. This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnet’s operations.

Bots are versatile, limited only by the imagination of the bot-herder. That’s why Microsoft and our partners are working so aggressively on innovative approaches to quickly take out the entire infrastructure of a botnet, so that it stays inactive as we assist in cleaning the malware off of infected computers. This is how we approached the Waledac takedown and are currently approaching the Rustock takedown. We will continue to invest similar operations in the future as well in our mission to annihilate botnets and make the Internet a safer place for everyone.

However, no single company or group can accomplish this lofty goal alone. It requires collaboration between industry, academic researchers, law enforcement agencies and governments worldwide. In this case, Microsoft worked with Pfizer, the network security provider FireEye and security experts at the University of Washington. All three provided declarations to the court on the dangers posed by the Rustock botnet and its impact on the Internet community. Microsoft also worked with the Dutch High Tech Crime Unit within the Netherlands Police Agency to help dismantle part of the command structure for the botnet operating outside of the United States. Additionally, Microsoft worked with CN-CERT in blocking the registration of domains in China that Rustock could have used for future command and control servers.

We are also now working with Internet service providers and Community Emergency Response Teams (CERTs) around the world to help reach out to help affected computer owners clean the Rustock malware off their computers. Without multi-party public and private collaboration efforts like these, successful takedowns would not be possible. The central lesson we’ve learned from all our efforts to fight botnets has been that cooperation is the key to success.

Botnets are known to be the tool of choice for cybercriminals to conduct a variety of online attacks, using the power of thousands of malware-infected computers around the world to send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising and much more. This particular botnet is no exception.

Although its behavior has fluctuated over time, Rustock has been reported to be among the world’s largest spambots, at times capable of sending 30 billion spam e-mails per day. DCU researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes – a rate of 240,000 spam mails per day. Moreover, much of the spam observed coming from Rustock posed a danger to public health, advertising counterfeit or unapproved knock-off versions of pharmaceuticals.

As mentioned previously, because Rustock propagated a market for these fake drugs, drug-maker Pfizer served as a declarant in this case. Pfizer’s declaration provides evidence that the kind of drugs advertised through this kind of spam can often contain wrong active ingredients, incorrect dosages or worse, due to the unsafe conditions fake pharmaceuticals are often produced in. Fake drugs are often contaminated with substances including pesticides, lead-based highway paint and floor wax, just to name a few examples.

Spam is annoying and it can advertise potentially dangerous or illegal products. It is also significant as a symptom of greater threats to Internet health. Although Rustock’s primary use appears to have been to send spam, it’s important to note that a large botnet can be used for almost any cybercrime a bot-herder can dream up. Botnets are powerful and, with a simple command, can be switched from a spambot to a password thief or DDOS attacker.

Again, DCU’s research shows there may be close to 1 million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer’s owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a website booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life.

It’s like a gang setting up a drug den in someone’s home while they’re on vacation and coming back to do so every time the owner leaves the house, without the owner ever knowing anything is happening. Home owners can better protect themselves with good locks on their doors and security systems for their homes. Similarly, computer owners can be better protected from malware if they run up-to-date software – including up-to-date antivirus and antimalware software – on their computers.

Finally, we encourage every computer owner to make sure their machine isn’t doing a criminal’s dirty work. If you believe your computer may be infected by Rustock or other type of malware, we encourage you to visit for free information and resources to clean your computer.

With your help, and the continued public and private cooperation of industry, academia and law enforcement such as Operation b107, we can stop criminals from using botnets to wreak havoc on the Internet.

To follow the Microsoft Digital Crimes Unit for news and information on proactive work to combat botnets and other digital threats, visit or