Home Tags Posts tagged with "botnet"
botnet
According to experts, millions of servers use software vulnerable to Shellshock bug, which lets attackers run commands on that system.
Up to now, a series of attacks on websites and servers using the serious Shellshock bug has been spotted
So far, thousands of servers have been compromised via Shellshock and some have been used to bombard web firms with data, said experts.
The number of attacks and compromises was likely to grow as the code used to exploit the bug was shared.
The Shellshock bug was discovered in a tool known as Bash that is widely used by the Unix operating system and many of its variants, including Linux open source software and Apple’s OSX.
Apple said it was working on a fix for its operating system and added that most users would not be at risk from Shellshock.
Millions of servers use software vulnerable to Shellshock bug, which lets attackers run commands on that system
Attackers have been spotted creating networks of compromised machines, known as botnets, that were then put to other uses.
One group used their Shellshock botnet to bombard machines run by Akamai with huge amounts of junk data to try to knock them offline. Another group used its botnet to scan for more machines that are vulnerable.
Evidence of the scanning and attacks came from honeypots run by security companies. These are computers that have been set up to look vulnerable but which catch information about attackers.
The US and Canada are believed to have issued alerts and told technology staff to patch systems as quickly as possible. Amazon, Google, Akamai and many other tech firms have also issued advisories to customers about the bug.
As well as software patches for vulnerable systems, security firms and researchers are also producing signatures and filter lists to help spot attacks based around it.
[youtube MkEBexRxE_g 650]
The FBI and Microsoft have broken up Citadel botnet, a huge network of hijacked home computers responsible for stealing more than $500 million from bank accounts.
The Citadel network had remotely installed a keylogging program on about five million machines to steal data.
About 1,000 of the 1,400 or so networks that made up the Citadel botnet are believed to have been shut down.
Co-ordinated action in 80 countries by police forces, tech firms and banking bodies helped to disrupt the network.
“The bad guys will feel the punch in the gut,” Richard Boscovich, a spokesman for Microsoft’s digital crimes unit said.
The cybercriminals behind Citadel cashed in by using login and password details for online bank accounts stolen from compromised computers.
This method was used to steal cash from a huge number of banks including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.
Citadel emerged after core computer code for a widely used cybercrime kit, called Zeus, was released online.
FBI and Microsoft have broken up Citadel botnet
Underground coders banded together to turn that code into a separate cybercrime toolkit that quickly proved popular with many malicious hackers.
In a blogpost detailing its action, Microsoft said Citadel had also grown because malicious code that could take over a PC had been bundled in with pirated versions of Windows.
The millions of PCs in the criminal network were spread around the globe, but were most heavily concentrated in North America, Western Europe, Hong Kong, India and Australia.
Despite the widespread action, which involved seizures of servers that co-ordinated the running of Citadel, the identity of the botnet’s main controller is unknown.
However, Microsoft has started a “John Doe” lawsuit against the anonymous controller, believing him to use the nickname Aquabox and be based in Eastern Europe.
In addition, the FBI is working with Europol and police forces in many other countries to track down and identify the 81 “lieutenants” that helped Aquabox keep Citadel running.
Microsoft has also started action to help people clean up an infected computer.
Typically, it said, machines compromised by Citadel were blocked from getting security updates to ensure those computers stayed part of the botnet.
With the network disrupted, machines should be free to get updates and purge the Citadel malware from their system.
Botnet miners, or cyber-thieves, are attempting to cash in on the rising value of the bitcoin virtual currency.
Bitcoins have almost tripled in value in a month. In late February one bitcoin was worth $33 but now each one sells for about $90.
Thieves who run networks of hijacked PCs are increasingly using these machines to create or “mine” the coins.
However, bitcoin miners say thieves will struggle to keep up, as coin-generating technology becomes more sophisticated.
Botnet miners, or cyber-thieves, are attempting to cash in on the rising value of the bitcoin virtual currency
As a virtual currency, bitcoins depend on a wide network of closely connected computers to log who holds the coins and where they are spent.
That network also shares information about who is “mining” the coins.
Mining involves solving a hard mathematical problem and miners typically use large numbers of computers to speed up the number crunching involved.
“Botnet mining is fundamentally theft of private property, illegal and unethical,” said Jeff Garzik, a bitcoin developer, adding that bitcoin miners had battled botnets for years, seeing them as a “cost and a burden” they just had to deal with.
Many cyber-thieves who control botnets, large networks of home PCs compromised with a virus, were using them as a dedicated mining pool in a bid to generate bitcoins for themselves, said Derek Manky, senior security strategist at Fortinet.
The operators of one of the biggest current botnets, known as ZeroAccess, had recently ramped up their efforts to use machines they control to mine bitcoins, he said, adding that millions of infected PCs were unwittingly enrolled in the criminal network.
“ZeroAccess has employed an affiliate model,” he said.
“They pay other people to install malware for them.”
The operators of ZeroAccess were making so much money that they were paying high prices for each infection. Current rates ran at about $100 for every 1,000 infections, said Derek Manky.
As well as mining bitcoins, PCs enrolled in ZeroAccess were also being used to poison search results – to cause users to unwittingly click on booby-trapped web pages – or fraudulently click on adverts to generate revenue.
“ZeroAccess has been extremely profitable,” said Derek Manky.
The wider bitcoin community was aware of the efforts botnet owners were making to produce their own cash, said Derek Manky.
“They try to detect and remove these transactions but it’s a bit of a cat and mouse game,” he said.
“The operators of ZeroAccess know about that and just change their tactics.”
However, said Jeff Garzik, criminal participation in bitcoin mining was likely to get much less profitable as professional miners turned away from using desktop PCs to generate the coins.
Increasingly, he said, professional miners were using custom-made chips, called Asics (Application-Specific Integrated Circuits), to mine because such processors worked faster.
“It is theorized that the current shift in bitcoin mining to <<Asic>> miners – the fastest and most advanced generation – will simply make it unprofitable for botnet miners,” said Jeff Garzik.
Vitalik Buterin, technical editor at Bitcoin Magazine, said the rise of Asic mining meant cyber-thieves would soon be pushed out.
Currently only about one-third of all professional miners were using Asics, but as that proportion grew, the number of bitcoins that could be generated with a botnet would shrink, said Vitalik Buterin.
“The fact that botnets are (somewhat) viable now is basically an aberration resulting from the massive price increase that has not yet been matched by increased mining activity,” he said.
“Once Bitcoin stabilizes again the botnets will rapidly crawl back into the shadows.”
[youtube 7fvSYT7vhQY]
Grum, a botnet which experts believe sent out 18% of the world’s spam email, has been shut down, a security firm said.
Grum’s control servers were mainly based in Panama, Russia and Ukraine.
Security company FireEye and spam-tracking service SpamHaus worked with local internet service providers (ISPs) to shut down the illegal network.
A botnet is a network of computers that has been hijacked by cybercriminals, usually by using malware.
“Grum’s takedown resulted from the efforts of many individuals,” wrote Atif Mushtaq, a security researcher with FireEye.
“This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don’t need your cheap Viagra or fake Rolex.”
Atif Mushtaq wrote that on Monday he learned that a Dutch server involved in Grum had been shut down. He said it “at least made a dent” in the botnet.
Grum botnet is believed to send out 18 percent of the world's spam email
On Tuesday, the command and control servers (CnCs) in Panama had been shut down.
“This good news was soon followed by some bad news,” he explained.
“After seeing that the Panamanian server had been shut down, the bot herders moved quickly and started pointing the rest of the CnCs to new secondary servers in Ukraine.
“So at one point, I was thinking that all we needed was to take down one Russian server, but right in front of my eyes, the bot herders started pointing their botnet to new destinations.”
He noted that in the past Ukraine has been something of a “safe haven” for bot herders.
“Shutting down any servers there has never been easy.”
Disabling Grum is just one of many high-profile efforts to neutralise botnets worldwide.
Russian Georgiy Avanesov was in May sentenced to four years in jail for being behind the Bredolab botnet which was believed to have been generating more than £80,000 a month in revenue.
Microsoft has been working to disrupt Zeus, another huge network responsible for, researchers said, millions of pounds in theft.
FireEye collaborated with other experts in the worldwide security industry to apply pressure to local ISPs to suspend the illegal operation.
Atif Mushtaq said more than 20,000 computers were still part of the botnet, but that without the active CnCs they would soon be rendered ineffective.
Grum’s closure was an encouraging development in clamping down on botnets across the world, he said.
“When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders.
“There are no longer any safe havens. Most of the spam botnets that used to keep their CnCs in the USA and Europe have moved to countries like Panama, Russia, and Ukraine thinking that no one can touch them in these comfort zones.
“We have proven them wrong this time. Keep on dreaming of a junk-free inbox.”
A Microsoft researcher says Smartphones running Google’s Android software have been hijacked by an illegal botnet.
Botnets are large illegal networks of infected machines – usually desktop or laptop computers – typically used to send out masses of spam email.
Researcher Terry Zink said there was evidence of spam being sent from Yahoo mail servers by Android devices.
Microsoft’s own platform, Windows Phone, is a key competitor to Android.
The Google platform has suffered from several high-profile issues with malware affected apps in recent months.
The official store – Google Play – has had issues with fake apps, often pirated free versions of popular paid products like Angry Birds or Fruit Ninja.
Smartphones running Google's Android software have been hijacked by an illegal botnet
This latest discovery has been seen as a change of direction for attackers.
“We’ve all heard the rumors,” Terry Zink wrote in a blog post.
“But this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices.
“These devices login to the user’s Yahoo Mail account and send spam.”
He said analysis of the IP addresses used to send the email revealed the spam had originated from Android devices being used in Chile, Indonesia, Lebanon, Oman, Philippines, Russia, Saudi Arabia, Thailand, Ukraine, and Venezuela.
As is typical, the spam email looks to tempt people into buying products like prescription drugs.
Security expert Graham Cluley, from anti-virus firm Sophos, said it was highly likely the attacks originated from Android devices, given all available information, but this could not be proven.
This was the first time smartphones had been exploited in this way, he said.
“We’ve seen it done experimentally to prove that it’s possible by researchers, but not done by the bad guys,” he said.
“We are seeing a lot of activity from cybercriminals on the Android platform.
“The best thing you can do right now is upgrade your operating system, if that’s possible.
“And before you install apps onto your device, look at the reviews, because there are many bogus apps out there.”
Google said it did not respond to queries about specific apps but was working to improve security on the Android platform.
“We are committed to providing a secure experience for consumers in Google Play, and in fact our data shows between the first and second halves of 2011, we saw a 40% decrease in the number of potentially malicious downloads from Google Play,” a spokesman said.
“Last year we also introduced a new service into Google Play that provides automated scanning for potentially malicious software without disrupting the user experience or requiring developers to go through an application approval process.”
Dr. Web, a Russian anti-virus firm, has reported that more than half a million Apple computers have been infected with the Flashback Trojan.
The report claims that about 600,000 Macs have installed the malware – potentially allowing them to be hijacked and used as a “botnet”.
Dr. Web says that more than half that number are based in the US.
Apple has released a security update, but users who have not installed the patch remain exposed.
Flashback Trojan was first detected last September when anti-virus researchers flagged up software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer’s security software.
Later versions of the malware exploited weaknesses in the Java programming language to allow the code to be installed from bogus sites without the user’s permission.
Dr. Web has reported that more than half a million Apple computers have been infected with the Flashback Trojan
Dr. Web said that once the Trojan was installed it sent a message to the intruder’s control server with a unique ID to identify the infected machine.
“By introducing the code criminals are potentially able to control the machine,” said the firm’s chief executive Boris Sharov.
“We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals’ hands. However, we know people create viruses to get money.
“The largest amounts of bots – based on the IP addresses we identified – are in the US, Canada, UK and Australia, so it appears to have targeted English-speaking people.”
Dr. Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California – home to Apple’s headquarters.
Java’s developer, Oracle, issued a fix to the vulnerability on 14 February, but this did not work on Macintoshes as Apple manages Java updates to its computers.
Apple released its own “security update” on Wednesday – more than eight weeks later. It can be triggered by clicking on the software update icon in the computer’s system preferences panel.
The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.
Although Apple’s system software limits the actions its computers can take without requesting their users’ permission, some security analysts suggest this latest incident highlights the fact that the machines are not invulnerable.
“People used to say that Apple computers, unlike Windows PCs, can’t ever be infected – but it’s a myth,” said Timur Tsoriev, an analyst at Kaspersky Lab.
Apple could not provide a statement at this time.
