One of the largest Android Botnet 'MisoSMS' steals messages

Security researchers from FireEye have uncovered one of the largest Android botnet which they dubbed as "MisoSMS".  The botnet is said to have been used in at least 64 spyware campaigns.

According to the report, the malware disguised as an "Android settings" application used for adminstrative tasks.

 The threat is designed to steal messages from victims and emails the messages to a Command and control(C&C) server located in china.

 the most of the infected devices are from Korea.  The cybercriminals behind this botnet logged into the server from Korea, China and few other locations in order to read the stolen messages.

FireEye said they are collaborating with the Koran law enforcement and Chinese webmail vendor in a effort to disrupt this botnet.

'Advanced Power' botnet attempts to hack website using victim's machine

S ecurity researcher Brian Krebs has discovered a new Botnet that tests websites for vulnerabilities using the infected machines. 

The malware disguise itself as a legitimate Firefox add on called "Microsoft .NET Framework Assistant" is apparently using the infected machines to find SQL Injection vulnerability in any website visited by the victim.

Once the malware determine the list of vulnerable website, the cyber criminals behind the botnet will be able to exploit the vulnerability to inject malicious codes in the websites.  So, it will probably help the attacker to increase the number of infected websites and systems.

Advanced Power test SQL Injection vulnerability

The malware also capable of stealing sensitive information.  However, the feature is not appeared to be activated on infected systems.

Alex Holden, chief information security officer at Hold Security LLC, analyzed the malware and believes the malware authors are from Czech Republic, based on the text string available in the threat.

Researcher says more than 12,500 systems have been infected by this malware and helped to discover at least 1,800 web pages vulnerable to SQL Injection.

Update:
In an email, a Mozilla spokesperson told EHN that "they have disabled the fraudulent 'Microsoft .NET Framework Assistant' add-on used by 'Advanced Power' as part of its attack. You should always be careful with anything you download. It's a good idea to use many layers of protection, including antivirus software to stop malware."

Chameleon Botnet steals $6M per month from advertisers with fake ad clicks


Security Researchers from Spider.io have discovered a new Botnet named as "Chameleon Botnet" that steals millions of dollars from advertisers by generating fake ad clicks.

The Spider.io claims the "Chameleon" botnet operates from 120,000 infected host machines - 95% of these affected PCs are using US-based IP addresses.

The firm has observed the botnets targeting at least 202 websites, hitting them with 9 billion ad impressions.

"Each bot often masquerades as several concurrent website visitors, each visiting multiple pages across multiple websites." The report reads.

PokerAgent Botnet steals more than 16k Facebook account credentials

A Botnet called "Poker Agent" identified about a year ago, which designed to steal Facebook account credentials, also stealing payment information linked to Facebook account and Zynga Poker.

According to the ESET analysis, the threat was mostly active in Israel. 800 computers were infected, over 16,000 Facebook credentials stolen.

Once the malware infect a system, it gets commands from remote C&C Server to log into Facebook accounts and collects the information including Zynga Poker Stats and Number of payment methods (i.e. credit cards) saved in the Facebook account.


The Trojan publish phishing link in the victims' wall in order to compromise more Facebook accounts credentials.

The Cybercriminals seemed to have ceased actively spreading the Trojan mid-February 2012. Israeli CERT and law enforcement have been notified and an investigation has been launched. Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.

Cyber Criminal sentenced to 30 months for Botnet that hit 72k PCs

botnet

A Hacker was sentenced a 30 months in prison for creating botnet that infected 72,000 computers and selling access to them.

Joshua Schichtel, 30-year-old ,from Phoenix Arizona , sold access to “botnets,” which are networks of computers that have been infected with a malicious computer program that allows unauthorized users to control infected computers.

"Individuals who wanted to infect computers with various different types of malicious software (malware) would contact Schichtel and pay him to install, or have installed, malware on the computers that comprised those botnets." The U.S. Department of Justice report reads.


Schichtel pleaded guilty to causing software to be installed on approximately 72,000 computers on behalf of a customer who paid him US$1,500 for use of the botnet.

Dutch Authorities take down C&C servers used by Grum Botnet


Dutch Authorities did a great job by taking down two of the command and control(C&C) servers belong to  the world's largest spam botnet ,Grum. This is not complete victory, as there are still two other C&C servers at work, but researchers are optimistic that the volume of spam will drop as a result.

Last week, FireEye published the details on four C&C servers, actively controlling the Grum botnet.Two of the servers were in the Netherlands, one is in Russia and the other in Panama.

Now, Dutch authorities take down the two Secondary C&C servers located in the Netherlands.  The master CnC servers located in Panama and Russia are still alive.

"These two CnC servers were responsible for pumping spam instructions to their zombies. With these two servers offline, the spam template inside Grum's memory will soon time out and the zombies will try to fetch new instructions but will not able to find them," FireEye’s Atif Mushtaq wrote.

“Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world's third largest spam botnet will have a significant impact on the global volume.”

Biggest banking Trojan Botnet suspect arrested by Russian Authorities


Russian police authorities arrested 22-year-old hacker, who is allegedly responsible for comprising more than 4.5 million computers – making it the largest publicly known botnet to date.

According to Russia’s Interior Ministry, the hacker used banking trojans to steal 150 million roubles($4.5 million or 3.6 million EUR), from private individuals and organisations.

The young man was known as "Hermes" and "Arashi" in online communities and apparently used variants of Carberp and similar trojans to commit the crimes. The trojan stole users' access credentials and used them to transfer money to bogus companies. Helpers then withdrew the stolen money from cash points. Most of the victims were Russian nationals.

This is the biggest banking Trojan botnet ever to be uncovered in Russia, according to reports, and one of the biggest in the world. Every day, the botnet operator would attempt to install malware on around 1 million computers, which meant that on some days, around 100,000 computers would join the network.

The authorities say that the arrest of "Hermes" and other members of his hacker group was carried out with the assistance of anti-virus company Dr. Web. Most of the accomplices lived in Moscow and St. Petersburg while "Hermes" was arrested in Southern Russia according to the reports.

THOR , New P2P Botnet in development and soon available for sale

 The development of new botnet THOR(a decentralized P2P botnet) is nearing completion and will soon be available for sale for $8000 on various underground hacking forums.  THOR is coded in C/C++ and developed by TheGrimReap3r.

THOR Works on Win 2000+, Win XP SP0/SP1/SP2/SP3, Win Vista SP0/SP1/SP2, Win 7 SP0/SP1  and Support x86 and x64 systems

"The botnet itself has no central command point, so it will be very difficult to shut down, also, very difficult to track where commands are coming from, because all the nodes pass them on. So there is no chance that it will be tracked down in the nearest future." Developer wrote in the HF.

THOS Uses DLL injection, IAT hooking, ring3 rootkit amongst other things to hide.It have it's own module system so you can write your own modules with our easy API system.  - Custom modules can be arranged on request for a fair price.

peer to peer communication uses 256-AES encryption with random key generation at each startup. 8192-bit RSA will be used for instruction signing(the NSA recommends 2048-bit).

The developer set the price as $8000 for the package without modules, module pricing have not been set yet due to that they are not completed. And the expected modules that you can buy will be, advanced botkiller, DDoS, formgrabber, keylogger/password stealer and mass mailer.

Kelihos/Hlux botnet comeback with new Techniques


Microsoft and Kaspersky Lab took down the Kelihos botnet last September using "sinkholing" method, but Kaspersky Lab reports that Kelihos botnet comeback with a new avatar.

The earlier version of Kelihos botnet has reportedly infected more than 41,000 computers around the world, not as large as Rustock botnet, but it was capable of sending 3.8 billion spam mails per day.

Recently, Kaspersky Lab come across a new samples of Kelihos botnet, come with a new techniques.  This new variant use the updated Encryption key method and algorithms.

After investigating the malware samples, Kaspersky lab come to the following conclusion: "It is impossible to neutralize a botnet by taking control over the controller machines or substituting the controller list without any additional actions. The botnet master might know the list of active router IPs, can connect to them directly and push the bot update again along with the new controllers list. "

"We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end." Kaspersky Lab says.

Microsoft identifies a new operator of Kelihos botnet

After Four months of investigation into Kelihos botnet, Microsoft identified a new defendant who allegedly responsible for the operations of the Kelihos botnet.

Andrey Sabelnikov(software engineer and project manager at a company that provided firewall, antivirus and security software), resident of St Petersburg, Russia,  has been named in an amended complaint filed with U.S. District Court by Microsoft's Digital Crimes Unit.


According to the complaint, Sabelnikov allegedly registered ,723 "cz.cc" website subdomains, and misused those subdomains to control the Botnet.

According to Sabelnikov public LinkedIn profile, from 2005 to 2007 he was an employee of  Agnitum , a Russian security firm well-known for its firewall software.

Micorsoft shut down the Kelihos botnet with their partners Kyrus Tech Inc., Kaspersky Labs in september. At that time,Kelihos compromised about 41,000 infected computers worldwide,capable of sending up to 3.8 billion spam mails per day. Even Though they take down the kelihos botnet, still computers are infected with those malwares,use microsoft security tools to scan your system.

“Profile me” bot spotted on Twitter by Kaspersky Lab

Dmitry Bestuzhev @Kaspersky Lab spotted a “Profile me” bot on Twitter. “profile me” bot is exploring all Twitpic hosted pictures replying to the authors with the same text phrase.


The bot started working on Friday, Dec 23 at 9 pm (GMT -05:00) with the highest peak on Saturday, 3 am the same GMT zone with 0.19% of all Twitter traffic.

In spite of the bot being used to gain followers and to promote porno content via bio user information, potentially it could be used for any other malicious purpose – like malware spreading via adding additional short URLs to the twits.

Optima DDOS 10a botnet leaked on Hacker Forums(r00tW0rm)

"Optima DDOS 10a Botnet" full version is available to download in Hacker forums.

In this new version 10a according to the author was raised in secrecy bot system and optimized grabber passwords. It cost about $ 600 worth.

Features a bot:
  • DDoS attacks of three types - http flood, icmp-flood, syn-flood.
  • Theft of stored passwords from some applications installed on the victim's system, details below.
  • Opening on the infected system proxy Socks5.
  • The possibility of cheating various counters on the websites (http-access the sites).
  • Hidden download and run the specified file to the affected systems.
  • Installed in the system as a service
  • Weight bot - 95.5 kb, written in Delphi.

Microsoft destroys Botnets by taking down the Domain Providers

Microsoft got the order from the U.S. District Court for the Eastern District of Virginia, Alexandria Division, telling top-level domain registrar Verisign to take down the domains, on Sept. 22, but it was sealed until Monday, when Piatti was served with a court summons in the case by Microsoft lawyers in the Czech Republic. The site take down occurred just after midnight, Pacific Time, Monday.

 Microsoft destroys Botnet by taking down the Domain Providers.Microsoft used the same technique that worked in its earlier takedowns of the Rustock and Waledac botnets, asking a U.S. court to order Verisign to shut down 21 Internet domains associated with the command-and-control servers that form the brains of the Kelihos botnet.

"These were domains either directly or though subdomains, that were actually being utilized to point computers to command and control websites for the Kelihos botnet," said Richard Boscovich, an attorney with Microsoft's digital crimes unit.

With somewhere between 42,000 and 45,000 infected computers, Kelihos is a small botnet. But, it was spewing out just under 4 billion spam messages per day -- junk mail related to stock scams, pornography, illegal pharmaceuticals and malicious software. Technically, the botnet looked a lot like Waledac, and some security experts think it may have been built by the same criminals.

The idea of a highly disruptive botnet that Microsoft shut down in February 2010 quietly resurfacing under a different name didn't sit too well with Microsoft's digital crimes unit. "We wanted to take it out early enough so that number one, it wouldn't grow and propagate ... but also to make the point that when a threat is down, it's going to stay down," Boscovich said. "I think we made that point pretty effectively in this particular operation."

All but one of the Internet domains that Microsoft took offline are anonymously registered in the Bahamas, but one domain cz.cc is owned by Dominique Piatti who runs a domain name business called Dotfree Group out of the Czech Republic.

"For some time now, this particular domain has had multiple issues with it in addition to Kelihos," Boscovich said. "We ultimately decided to name him as a defendant in light of some previous incidents that he's had."


Malicious sites on the cz.cc domain had previously been used to trick Macintosh users into thinking they needed to buy a bogus security program, called MacDefender.

Security experts say that many of these subdomain hosting companies, which typically offer free domain-name registration, have opened up a lawless frontier on the Internet where nearly anything goes. "There's a huge amount of abuse going on on those subdomains," said Roel Schouwenberg, a researcher with security vendor Kaspersky Lab. "The bad guys select whichever domain is cheapest and most reliable," he added. "Some of these domain owners are extremely slow in responding to abuse issues."

Scammers had used a series of ingenious tricks to game Google's image search feature and spread the Mac Defender malware using bulk subdomains, said Sean Sullivan, a security adviser with F-Secure. Sullivan's company automatically blocks the ce.ms, cu.cc, cw.cm, cx.cc, rr.nu, vv.cc, and cz.cc domains with its security software, he added.

In June, Google blocked a number of bulk subdomain sites from its search index, saying that many of them had been used by criminals. "In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider," Google wrote in a blog post announcing the decision.
Reached Tuesday, Piatti was unable to comment for this story. " I would be glad to give you my side of the story, but I feel that I should hire a lawyer first," he said in an email.

Everymonth number of Botnets increased in millions~ Report from Kaspersky


“Hundreds of thousands of machines are joining botnets every month. Most of these botnets are used to propagate spam or distribute malware that can be used in cyber espionage. Some of them are used in DDoS attacks or as proxies to commit other cybercrimes.",Vitaly Kamluk, Chief Malware Expert, Global Research and Analysis Team, Kaspersky Lab

According to Kamluk, the largest botnet is Conficker, with more than 8 million infected hosts, followed by TDSS with more than 5.5 million, Zeus with more than 3.6 million, and Koobface with more than 2.9 million.

"One could think that laws should be able to help us. Indeed, there is a law that prohibits unauthorized access to remote systems, i.e., third parties cannot use the resources of the other’s machine. However, cybercriminals successfully bypass this law. They utilize and exploit systems in any way they want – to commit crime, earn money, etc. At the same time we researchers come up against the same law – but in our case it prevents us from fighting botnets

As an example of what could be done but cannot even be contemplated, there are over 53 000 command and control (C&C) centers on the Internet (source: www.umbradata.com). In many cases we know where the C&C centers of these botnets are, so in theory we could contact the owner’s Internet Service Provider and ask it to take it down or to pass control of the center to us. This would be the right decision if we didn’t want to leave all those thousands of infected machines online - continuing to attack other machines. We could issue a command for a bot to self-destroy itself from within the botnet infrastructure (starting from the command center) and then take it down. But unfortunately this represents unauthorized access, and we are not allowed to issue such a command",Kamluk.

He recommended that law enforcement consider taking the following steps to help investigators in fighting botnets:

  • Carrying out mass remediation via a botnet;
  • Using the expertise and research of private companies and providing them with warrants for immunity against cybercrime laws in particular investigations, so they can collect more evidence, or bring down a malicious system when it cannot be accessed physically;
  • Using the resources of any compromised system during an investigation - so that we can place traps on compromised machines to get the source IP addresses of the attackers, and to bypass the mechanisms they use to hide their identities;
  • Obtaining a warrant for remote system exploitation - only in the cases when no other alternative is available. Of course this could result in cyber espionage. But if it is done properly – if the warrant is given for particular system, in a particular case, for particular timespan – this could bring positive results. Indeed, it could significantly change the cyber-threat landscape.”