FYI...

- http://preview.tinyurl.com/34jw2j
March 16, 2008 (USAtoday) - "...The botnet problem shows no sign of easing. Security firm Damballa pinpointed 7.3 million unique instances of bots carrying out nefarious activities on an average day in January -- an astronomical leap from a daily average of 333,000 in August 2006. That included botnet-delivered spam, which accounted for 91 percent of all e-mails in early March, up from 64% last June, says e-mail management firm Cloudmark... smaller, multipurpose botnets spring from widely available tool kits that make it easy for anyone to infect computers, assemble a basic botnet and embark on a criminal career. Dozens of crime rings, for instance, have cropped up to run phishing Relevant Products/Services scams that lure victims into clicking on fake Web pages where they get tricked into divulging passwords and other sensitive data. Botnets distribute phishing spam, host phishing Web pages and store phished data. Since 2005, phishers have used botnets to take aim at more than 1,750 companies and government agencies, mainly financial institutions, including 106 fresh targets in the fourth quarter of 2007, according to a survey by security data firm Cyveillance. Phishing expeditions are just one of many uses of botnets. Some botnets crawl the Internet looking for Web pages that can be corrupted with pop-up ads selling fake anti-spyware; some implant programs on popular Web pages to harvest any sensitive personal data typed there by visitors; some repeatedly click on online advertisements to earn fraudulent "click through" revenue... Numerous indicators portend botnets are destined to increasingly corrupt consumer online transactions and range deeper into corporate and government networks..."

Botnet activity from around the world over a 7-day period
- http://damballa.com/resources/video/botArmyOverview/active_bots.html
(Flash video)

FYI...

- http://preview.tinyurl.com/338nxq
March 27, 2008 (TrendLabs blog) - "...Interesting malware attack that seems to be (at first blush) related to the previous Banamex phishing e-mails reported last January and earlier this month. Similar to the past attacks, this malware aims to steal money by targeting customers of Banamex, the largest e-Bank in Mexico. However, instead of using DNS poisoning method as the past attacks did, this malware uses a script to change the user’s DNS settings, and also installs a botnet client that is hosted at an IRC server in a U.S. hosting provider. Based on Tello’s analysis, the infection chain is usually initiated by a fake greeting e-card that a user receives via email. This e-card contains a link, which when clicked downloads the malicious file Gusanito.exe... Trend Micro detects this file as BKDR_VBBOT.AE. The difference between this new attack and the previous attacks is that, this time around, the malicious downloaded executable does not poison the user’s HOSTS file or the local router’s DNS table. Instead, it changes the DNS from the affected user’s computer... As of this writing, there are over ~650 bots already connected to the this botnet C&C (Command & Control Server) and are most probably sending out tons of fake greeting e-cards at this very moment... The malicious link has already been submitted to Trend Micro Content Security team for processing and blocking. The appropriate law enforcement and content providers have also been alerted to this, as well."

...and today, of course, we have this going on here:
- /t218276-March_26_Genesis_of_an_attack_on_CastleCops.html

FYI...

- http://asert.arbornetworks.com/2008/03/drive-by-downloads-links-and-insights/
March 27, 2008 - "...I don’t get to spend much time digging into big, widespread attacks or specialized exploits. However, here’s a few links from my reading this morning that help keep me informed since I can’t spend all of my time digging too deeply into every event.
- ...botconomics... basically how the botnet world has been fueling a large-scale underground economy. Have a look:
http://www.vnunet.com/vnunet/news/2212403/spyware-authors-offer-dollars ...
"...Code is typically first added to a web page which may be a phishing site, a hacked site, a site hosted on a web server or even a botnet-hosted web page. Instructions are then issued to the offending botnet computers to visit the page, then download and execute the code. Once the spyware is installed, it registers with the 'seller' and the 'affiliate' is then paid. MessageLabs explained that a simple line of code can be added to an HTML page that will in turn cause a drive-by install of spyware to the computers of any visitors to that site..."

Botnets 2008 - new - "Kraken"

Kraken technical details
- http://isc.sans.org/diary.html?storyid=4256
Last Updated: 2008-04-07 20:22:36 UTC - "...<Begin Commentary> If you are going to be in the malware / security research business, it is nice to let the security community know when you find what you believe to be new malware. </End Commentary>..."
(More detail at the ISC URL above.)

- http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/
7 April 2008 - "... It comprises over 400,000 infected machines, more than twice the size of Storm, which was previously believed to be the largest zombie network. Machines from at least 50 Fortune 500 companies have been observed to be running the malicious software that's at the heart of "Kraken," the botnet that security firm Damballa has been tracking for the last few weeks. So far, only about 20 percent of the anti-virus products out there are detecting the malware..."

Update:

- http://isc.sans.org/diary.html?storyid=4256
Last Updated: 2008-04-07 - "... The md5 that Damballa is saying is associated with this malware is MD5: 1d51463150db06bc098fef335bc64971. I'm working with a copy from Project Malfease and will have an analysis later. A Virus Total scan of this binary came back as 5/32 (with the 5 that did detect doing so in non-descript ways like "suspicious file")."

Update #2

- http://isc.sans.org/diary.html?storyid=4256
UPDATE 2 (4/8/2008 - 13:29 UTC): First things first, Emerging Threats has some test signatures to detect this botnet C&C traffic. You can see them here*. There are some Threat Expert reports on related malware that should give you a good list of hostnames to work with for right now..."
* http://doc.emergingthreats.net/bin/view/Main/OdeRoor

(More links to detailed analysis available at the ISC URL above - bottom of page there.)

More on "Kraken":

- http://preview.tinyurl.com/6ff7lx
April 8, 2008 (Brian Krebs) - "...In the early days of bot infections, botmasters would have all of their infected PCs report to a particular Internet server to receive updates and instructions on what to spam or whom to attack. But those stationary control servers represent a single point of failure for botmasters: If security professionals can get them taken offline, the botmaster can lose control over his herd of infected machines, as the individual bots no longer know where to go to receive instructions and become stranded indefinitely, sort of like sheep without a shepherd. As a result, many botmasters have switched to using dynamic DNS because these services eliminate this single point of failure. Using dynamic DNS, the botmaster simply tells his bots to report to a particular domain name he controls, such as example.com, and the dynamic DNS provider takes care of making sure all infected machines know how to find the control server... Kraken also uses dynamic DNS services, but adds a twist: The authors include in the genetic makeup of the bot hidden instructions for finding brand new Web site names on the fly. Should security professionals or the dynamic DNS provider succeed in shutting down the domain name used to control the botnet, Kraken randomly creates another one, using an encryption routine built into the bot code... the advice is the same: Use anti-virus, but don't depend on it to save you from risky behaviors online. Use a firewall, keep your computer and third-party software up-to-date with the latest security patches. Don't click on links sent to you unexpectedly in e-mail or instant message... configure your computer so that you run it under a limited user account for everyday use..."

More "Kraken"...

- http://asert.arbornetworks.com/2008/04/busy-day-kraken-new-storm-run-and-msft-bulletins/
April 8, 2008 - " Kraken, the spam botnet on everyone’s minds, has soaked up a good bit of out Monday evening and today. We’re going with the popular name and dubbing it Trojan.Kraken. In short, what we know and what we don’t know:
* It’s unclear if this is a variant of Bobax or Srizbi, or something new.
* A lot of the C&Cs are dead
* We analyzed samples going back through last year
* It’s a spam botnet, doesn’t appear to harm the host otherwise
* We don’t know how big it is
We’ve spent a lot of time in ASERT in the past day dissecting samples, gathering data from the community, and looking at our own analysis. Here’s some brief notes:
* It drops a file in %SYSTEM32% with a random name (lowercase characters, 2-20 characters). It sets the following registry keys to ensure it runs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"" =C:\WINDOWS\system32\[%random_name%].exe
"" =C:\WINDOWS\system32\[%random_name%].exe

Where the random name is between 2 and 20 characters long.
* It picks a random string of lowercase characters for a service title
* It communicates with over 150 command nodes (if they all were to resolve) for instructions and templates using UDP port 447; we’re not sure if the replies are source-spoofed or not...

AV detection for the samples varies, but the naming isn’t consistent. This doesn’t appear to be the bot that ate the Internet, however, but it does go to show you that spambots are becoming a serious problem..."

FYI...

- http://www.staysafeonline.info/news/botnetrelease0408.html
April 9, 2008 - "...The National Cyber Security Alliance (NCSA) announced study findings that 71 percent of consumers lack the knowledge on cyber criminals’ weapon of choice and the Internet’s fastest growing threat – botnets... Compelling findings from the study* include:
* 71 percent have never heard the phrase “botnet” – the weapon of choice for cyber criminals
* 59 percent think it is not likely their computer could affect homeland security
* 47 percent believe it is -not- possible for a hacker to use your computer to launch cyber attacks or crimes against other people, businesses and our nation
* 51 percent have not changed their password in the past year
* 48 percent do not know how to protect themselves from cyber criminals
* 46 percent of consumers are not sure of what to do if they became a victim of a cyber crime...
2,249 online consumers between the ages of 18 and 65 were surveyed using the online panel managed by Harris Interactive..."

FYI...

- http://preview.tinyurl.com/5qk4lk
April 9, 2008 SANS-NewsBites - "Research presented at the RSA conference estimates that the largest eleven botnets cumulatively control more than one million machines and are capable of sending out 100 billion spam emails each day. The largest botnet is believed to be one known as Srizbi, controlling an estimated 315,000 machines; Bobax claims an estimated 185,000 machines, and Storm comprises about 85,000 compromised machines. The research also aims to clarify which botnets are which, as some recent reports have said that Kraken is the largest botnet, comprising more than 400,000 machines, but Kraken is believed to be another name for Bobax."

FYI...

Bot counts
- http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts
20 April 2008 - "... Because there is not any consensus on what that lifespan might be, we have created an entropy value for all of our counts. We actually implemented it in the middle of 2007 to deal with the rampant increase of our bot/infected system counts. We realized that we may have artificially inflated the numbers that we were presenting. We suspect a lot of the values that are seen in the press or the many security reports are inflated for the same reasons.

We have three entropy values that we present for each of our graphs. The first is the one that we have been using since we started aging the data, which is a 30-day entropy. This assumes that if no activity on a specific IP was seen within 30-days, that IP should be considered dead for the purposes of counting infected systems. To further this analysis, we have also added in a 10-day and 5-day entropy charts to reflect even smaller expected lifespans of an infected system. We do not know what the correct value may be, but we suspect it is somewhere between the 10-day and 30-day charts."

(Charts available at the URL above.)

FYI...

China's botnet problems grows
- http://www.securityfocus.com/brief/726
2008-04-21 - "Computers infected by Trojan horse programs and bot software are the greatest threat to China's portion of the Internet, with compromises growing more than 20-fold in the past year, the nation's Computer Emergency Response Team (CN-CERT) stated in its 2007 annual report released last week. The response organization found that the number of Chinese Internet addresses with one or more infected systems increased by a factor of 22 in 2007. The report... estimates that, of 6.23 million bot-infected computers on the Internet, about 3.62 million are in China's address space. Trojan horse programs are responsible for a range of issues, from privacy breaches to economic losses, CN-CERT said in the report... A nod to Dancho Danchev's blog*, which first noted the release of the report..."
* http://ddanchev.blogspot.com/2008/04/chinas-cert-annual-security-report-2007.html

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://www.secureworks.com/research/threats/danmecasprox/
May 13, 2008 - Author: Joe Stewart - "Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32 .exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is an SQL-injection attack tool. When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84 .com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool... the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts. Additionally, a similar attack technique is currently being seen spreading game-password-stealing trojans from China. Whether the tool is related or just the attack syntax is shared, it is clear that SQL injection attack activity is on the rise from multiple sources..."

FYI...

Romanian Whack-A-Mole and Linux Bots
- http://www.f-secure.com/weblog/archives/00001443.html
May 27, 2008 - " It doesn't always have to be the latest and greatest zero-day exploit that causes you to lose control of your computer or server to external attackers. Today's example comes in the relatively ancient form of brute force SSH.
We recently received a sample containing several different files:
- A psyBNC installation; legitimate software used by many for normal purposes, but it's also a common tool in an attacker's toolkit.
- And a collection of scripts, binaries, and password files that were used to scan for machines that have their SSH port open.
The binaries that were used maliciously in this case were connecting to a large public IRC network. We see quite many such as these, all headed for the same network even though it does have a working abuse address and the network's administrators actually do something to the botnet channels that get reported. In our experience, the botnets are most often run by various small gangs coming largely from eastern Europe; notably from Romania.
Once one of the botnet channels has been suppressed, it takes only a few hours for a new one to pop up in the same IRC network but under a different channel name.... The botnet in this case was made up of about forty infected Linux machines, and judging by their DNS Resource Records, most of them are either webservers or mail servers, which usually have a bit fatter Internet connection than you average Joe Consumer. The moral? Even unsophisticated attackers don't need the latest and greatest techniques if the target's passwords are weak."

FYI...

- http://atlas.arbor.net/summary/fastflux
"Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme. The DNS records change frequently, often every few minutes, to point to new bots. The actual nodes themselves simply proxy the request back to the central hosting location... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware. Many times a single botnet will host several different fastflux domains at once. We try to find these distinct bot networks by looking for domains whose IPs match those of other domains... Currently monitoring 551 fastflux domains..." [2008.07.02]

More SQL Injection with Fast Flux hosting
- http://isc.sans.org/diary.html?storyid=4645
Last Updated: 2008-07-01 04:46:52 UTC

Fast Flux and New Domains for Storm
- http://asert.arbornetworks.com/2008/06/fast-flux-and-new-domains-for-storm/
June 28, 2008 ...updated 1 July 2008