Search This Blog

Showing posts with label Botnets. Show all posts

Emotet Botnet Operators Switching to a New Template Named ‘Red Dawn’


Emotet malware has been continually evolving to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. First discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from affected machines.

However, after going through multiple upgrades, since then, it has taken upon various roles- to exemplify, it has leveled up its threat game long ago to become a “loader”; it gathers data and sends it via an encrypted channel to its command and control (C2) servers, it also downloads modules to further the functionality.

The threat actors, actively involved in the rapid expansion of “Emotet” as a service, have devised a new method of attacking their targets by making them access infected documents. Until a while ago, the operators of Emotet have been using an iOS-themed document template in their botnet campaigns, the template informed victims that the document was created on iOS and that in order to view the content properly, he needs to ‘Enable Content’.

However, this is not the scenario anymore. In its newer campaigns, the notorious botnet is reported to be employing a new template, named ‘Red Dawn’ by Emotet expert, Joseph Roosen, for its red accent colors.

While displaying the message, “This document is protected”, the Red Dawn template informs the user that the preview is unavailable and in order to view the document, he is required to click on ‘Enable Content’ or ‘Enable Editing’ button.

After the user is being tricked into accessing the document via the steps he was asked to follow, Emotet malware gets installed on his system following the execution of macros. Once the system is successfully infected, Emotet malware may proceed to deliver other malware and ransomware namely Trickbot and Qbot or Conti and ProLock respectively.

“#Emotet AAR for 2020/09/02: Only a couple malspams at dayjob. It looks like JP is getting targeted heavily now by E1/E2 and E3. Seeing templates on all 3! The new regex for E1 is stupid and I bet Yuri thought that was epic, well nope, even easier to block, new regex in report. TT”, Joseph Roosen said in his related Tweet.

Over 500 SSH Servers being Breached by FritzFrog P2P Botnet


Cyberspace has seen an unprecedented rise in modified versions of peer-to peer, also known as (P2P) threats, it might have appeared that these P2P services have been vanishing, but in reality, they have emerged even stronger in newer ways. BitTorrent and eMule are still known to be in use by attackers.

A peer-to-peer (P2P) network is an IT infrastructure in which two or more computers have agreed to share resources such as storage, bandwidth and processing power with one another. Besides file sharing, it also allows access to devices like printers without going through separate server software. A P2P network is not to be confused with client-server network that users have traditionally used in networking, here, the client does not contribute resources to the network.

Researchers at Guardicore have recently discovered a sophisticated peer-to-peer (P2P) botnet called as FritzFrog that has been actively operated since January 2020, breaching SSH servers; it’s a Golang-based modular malware that executes a worm malware written in Golang, it is multi-threaded, completely volatile, and fileless and leaves no trace on the infected system’s disk.

It has a decentralized infrastructure which distributes control among all its nodes. The network uses AES for symmetric encryption and the Diffie-Hellman protocol for key exchange in order to carry out P2P communication via an encrypted channel.

So far, more than 20 malware samples have been discovered by the researchers as FritzFrog attempted to brute force over 500 SSH servers belonging to educational institutions, governmental institutions, telecom organizations, banks, and medical centers worldwide. The campaign also targeted some well known high-education institutions in the United States and Europe, along with a railway firm.

Botnets are being leveraged by attackers for DDoS attacks and other malicious activities, as per the recent attack trend. Earlier in June this year, the Monzi malware was seen exploiting IoT devices, mainly DVRs and routers. Threat actors brought together various malware families namely Mirai, Gafgyt and IoT Reaper, to carry out a botnet capable of DDoS attacks, command or payload execution or data exfiltration.

“FritzFrog’s binary is an advanced piece of malware written in Golang. It operates completely in-memory; each node running the malware stores in its memory the whole database of targets and peers,” according to Guardicore’s report.

“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats.”

“Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication, which is much safer. In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.” The report further read.

Prometei: A Cryptomining Botnet that Attacks Microsoft's Vulnerabilities


An unknown Botnet called "Prometei" is attacking windows and Microsoft devices (vulnerable) using brute force SMb exploits. According to Cisco Talos, these SMB vulnerabilities help in mining cryptocurrency. The botnet has affected around a thousand devices. It came in March; however, according to experts at Cisco Talos, the campaign could only generate a small amount of $5000 in four months of its activities. The botnet was working since the beginning of March and took a blow on 8th June. However, the botnet kept working on its mining operations to steal credentials. According to experts, the botnet is working for somebody based in Europe, a single developer.


"Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining. It has been successful in keeping its computing power constant over the three months we've been tracking it," says Cisco Talo's report.
Vanja Svajcer, a cybersecurity expert, says that earning $1250 monthly is more than average for a European. Therefore, the developer would 've made a fair profit from the botnet. Besides crypto mining, it can also steal private credentials and escape without getting traced.

About SMB attack 

The hacker exploits the Windows Server Message Block protocol using a vulnerability. After this, the hackers retrieve passwords from Mimikatz, which is an open-source app for credential authentication. To spread itself in SMB protocol, the hackers use the RdpcIip.exe spreader module. This spreader tries to authenticate SMB operation using retrieved credentials or a temporary guest profile, which doesn't require any password. If the spreader can infiltrate, it uses a Windows app to launch the botnet remotely. But if the attack fails, the hackers can use other versions of vulnerabilities to start botnet.

To protect yourself, Cisco Talos says, "defenders need to be constantly vigilant and monitor systems' behavior within their network. Attackers are like water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."

LeeHozer and Moobot Have The Same Attack Maneuvers?


Sharing has become a thing with cyber-criminals and their malware mechanisms. Reportedly, LeetHozer botnet was found to have similar attack tactics as that of the Mootbot malware family. Researchers have reasons to think that the party that created the Moobot also could be the ones who created the LeetHozer.

Per researchers, the LeetHozer botnet has been counting on other kinds of malware for a little bit of sharing here and there. Per sources, it has in the past used the loader and reporter system that the Mirai uses.

Apparently, despite using the same mechanisms as Mirai the LeetHoxer threat was a little different. According to researchers, other Mirai variations too were altered including the encryption procedure, the bot program, and the command and control protocol. The unique "string and downloader" too were revealed to be of the same kind as Mirai.

Per reports, the botnet was noticed when it was found to be manipulating a vulnerability in the “telenet service” of a device. It made use of the default password to get access to the device. Once the device got infected the LeetHozer sent the information of the device to its reporter mechanism which then got to the command and control server and then finally the instructions for the Denial-of-Service attack were received.

The history of various attacks has it that Moobot has been a part of quite a lot of attacks ever since it first surfaced last year. According to researchers, several threat actors have made use of it to exploit zero-day vulnerabilities. It was discovered by the researchers while it was manipulating a zero-day vulnerability in fiber routers, reports mention. It hence is needless to say that one of the major attack tactics of the Moobot is exploiting any zero-day flaw it could get it claws into.

There are numerous ways in which an organization can create a barricade against any such attacks. The cyber and technological security personnel could design a response plan and a contingency plan especially against DDoS attacks, the systems should be backed up at all times, and configuration could be done in a way that as soon as the network is attacked the back-up kicks in. Also, researchers suggest that Artificial Intelligence could prove to be a very lucrative solution for such problems.

Three Botnets Abuse Zero-Day Vulnerabilities in LILIN's DVRs!


Not of late, LILIN recorders were found to be vulnerable. Reportedly, botnet operators were behind the zero-day vulnerabilities that were exploited in the Digital Video Recorders (DVRs ) that the vendor is well known for.

Sources mention that the exploitation of the zero-day vulnerabilities had been a continuous thing for almost half a year and the vendor was unaware. Nevertheless, they rolled out a patch in February 2020.

Digital Video Recorders are electronic devices that collect video feeds from local CCTV/IP cameras systems and store them on different mass storage devices like SD cards, USB flash drives, disk drives, etc.

DVRs are a huge deal today given they are a major element for the security cameras that are used almost everywhere in these times.

With CCTV cameras raging, attacks especially designed for them have also risen equally. Malware botnets and other hacker operations have been targeting these widely used DVRs for quite some time now.

Per sources, the non-revised and out of date firmware stands to be the reason for these devices being hacked. Especially, the DVRs with default credentials are exploited to kick off DDoS and other IoT attacks.
Sources mention that security researchers found LILIN’s DVRs too were being exploited for almost half a year, since August last year by three botnets.


The vulnerability in the “NTPUpdate”, sources mention, allows attackers to inject and control the system’s commands. Via one of the ‘hardcoded credentials’ (root/icatch99 & report/8Jg0SR8K50) the attacker stands a chance to retrieve and alter a DVR’s config file, and later control commands on the device after the File Transfer Protocol (FTP) server configuration is regularly matched.

Per sources, the first botnet behind the zero-day vulnerability was the “Chalubo botnet” with a motive of exploiting the NTPUdate of the LILIN DVRs. The other two were employed by the “FBot botnet”

Reportedly, a couple of weeks after the previous attacks of the FBot, the Moobot botnet also tried its luck and succeeded on the second zero-day vulnerability.

There is no knowing as to what the exact motive was behind hacking the LILIN DVRs. Nevertheless, there has been a history of DDoS attacks, re-routing traffic, and proxy networks.

As it happens there are, per sources, over 5,000 LILIN DVRs that exist today thus making it quite a hefty task to update all of them immediately. But it’s a relief to know that the first step has been taken. There’s not much to worry about now given LILIN has released a firmware update along with solutions for mitigation.

Microsoft shuts down World's Largest Botnet Army


According to Microsoft, the company was part of a team that took down the global network of zombie bots. Necurs is one of the largest botnets globally and is also responsible for attacking more than 9 million computers. It is infamous for multiple criminal cyberattacks that include sending phishing emails like fake pharmaceuticals e-mail and stealing personal user data. The hackers use Botnets for taking over remote access of internet-connected systems to install malware and dangerous software. The hackers then use the installed malicious software to steal personal user data like user activity on the computer, send spams and fake e-mails, modify or delete user information without the knowledge of the owner.


The taking down of the Necurs happened after 8 years of consistent hard work and patience along with co-ordinated planning with 35 counties across the world, says Tom Burt, VP of customer security and trust, Microsoft. According to Tom, now that the botnet network is down, hackers will no longer be able to execute cyberattacks with the help of the botnet network.

About Botnet

Botnets are systems of the web-connected computers that run on self-automated commands. Hackers use this network of systems to send malware (malicious software) that allows them remote access to a computer. If the malware is installed or starts affecting the computer, hackers steal personal user information or use the infected device as a host to launch more cyberattacks by sending spams and malware. When the device is infected through malware, it's called Zombie.

Origin of Botnet Network

The news of the 1st Necurs attack appeared in 2012. According to experts, Necurs is said to have affected more than 9 million computers. Necurs used domain generation algorithms to grow its network. It turned arbitrary domain names into websites and used them to send spams or malware to the attacked computers. Fortunately, Microsoft and the team deciphered the algorithm pattern and predicted the next domain name that Necurs would have used to launch another cyberattack, and prevented the attack from happening.

Signs your computer might be affected

  • Systems run slow and programs load slowly 
  • Computer crashes frequently 
  • Suspicious filling up of storage 
  • Your account sends spam emails to your contacts

Hacker who was offering Cybercrime-as-a-service detained in Novokuznetsk



Employees of the Ministry of Internal Affairs of Russia with the assistance of experts of Group-IB, an international company specializing in the prevention of cyber attacks, detained a hacker in Russian city Novokuznetsk who hacked computers around the world.

The detainee offered Cybercrime-as-a-service services to cyber criminals.  He created and maintained admin panels for managing malware and botnets. 
 
According to the local report, he infected more than 50 thousands computers across the world.  He managed to steal usernames and passwords from browsers, mail clients of the infected computers.  He also reportedly stole financial information such as bank card details.

The investigation began in the spring of 2018, when the hacker infected around 1000 of computers with malicious software Formgrabber.

"He administered the botnet, which counted several thousand infected computers of Russian and foreign users,” the press service of the Ministry of Internal Affairs reported.

It turned out that the hacker is only 26 years old, since 15 he has earned money by creating websites for computer games, but then he decided to learn the profession of a hacker.  More recently, he was testing malware targeting Android platform.

He has already been charged under the article "Creation and distribution of malicious computer programs". He completely admitted his guilt.

Your Internet Connection is most likely “hacked”; Experts say so


In case you're utilizing a Wi-Fi connection in your home, you would be very astonished to realize that your web connection is most likely 'hacked', but t real question is by whom, and what for...?

Saravanan K, a Bengaluru-based specialist working on security answers for organizations probably knows best as per him, a great many people who aren't well aware of the dangers lurking deep in the technical world don't change the default equipment and the default settings, which in itself is a serious issue.

Its biggest example being the surveillance cameras where people will in general leave the usernames and passwords at the manufacturer setting, and after that any other person who cognizes the IP address can sign into them over the Web. The equivalent is frequently valid with Wi-Fi routers, as there are numerous individuals who do not comprehend them by any means.

In a study, by the Chinese cyber security analysts Netlab 360 demonstrated that India has indeed the most home routers tainted by BCMPUPnP_Hunter. This malware has made a botnet with more than 100, 00 routers and uses it to send incalculable spam messages. China and the USA both have a high number of tainted devices, yet the number in India is evidently just about a multiple times higher.

 “They're basically using your home as a base of operations to attack other people. So they don't want to take down your computer nor do anything else that will get them noticed, they want you to stay online an active," explains Saravanan.

"This is actually a big problem for the home users.” Adding further he says, “What's happening is that your Internet bandwidth is being consumed, so your streaming might seem slow, or your data limit might be hit sooner than expected, costing you real money, and apart from that, the other downside is that attacks like credential stuffing are being powered by your network, and that's going to hurt other consumers like yourself."

The darker the colour, the more number of infected devices.

But there's only much that an average user can do to remain safe and the only possible path through which they can secure themselves as pointed out via a research from IBM is by purchasing new hardware.

Anyway it's as yet imperative to realize that these sorts of botnets are developing and spreading fast, and will influence the other gadgets as well, where the effect can be significantly more dangerous. The progressions caused make the attacks by these botnets a lot harder to distinguish by users, and subsequently prompting the expansion in these issues after some time.

Upgrade your SOHO routers firmware to the latest version


A recent study has uncovered that a huge number of Small Office / Home Office (SOHO) routers, who neglect basic security practices, were recently targeted by attackers.


The study conducted by Incapsula security team was published on its blog by researchers Ofer Gayer, Ronen Atias, Igal Zeifman.  

It has urged router owners to disable all remote access to their router management interfaces. In order to verify that their own router is not open to remote access, they can use YouGetSignal to scan for the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).

Along with that, it has recommended all router owners to change the default login credentials, if they haven’t done so already.

And those whose routers are already compromised, they can upgrade their routers’ firmware to the latest version provided by the manufacturer.

It is said that the flaw was the result of negligent, with ISPs, vendors, and users sharing a long tradition of disregarding basic security practices. As a result hundreds of thousands routers likely to be controlled by hacker which are used to attack the Internet ecosystem and interconnected networks.

The study revealed that major companies involved in the issue.

The study’s main target is to share attack details in an attempt to raise awareness about the dangers posed by under-secured, connected devices.

Although the study has been published, many botnet devices are still attacking the users and other websites.

According to the study, the researchers first identified these attacks on December 30, 2014 and have been mitigating them ever since. In the last 30 days, they saw that the number of attacking IPs had been increasing.

The rapid growth compelled the Incapsula security team to further investigate the case. The team revealed that this wave of attacks is a part of a much larger DDoS assault targeting hundreds of other domains outside of the Incapsula network, and includes other attack vectors and  network layer barrages.

After the research, Incapsula contacted the vendor of the routers and the ISPs whose routers and networks, it found to be most open to abuse.

After inspecting a sample of 13,000 malware files, they found out that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks.

27 year old Female hacker Arrested by ITCU

Recently, a 27 year old Female hacker was arrested by the Integrated Techological Crime Unit (ITCU) from her residence in Saint-Alphonse-de-Rodriguez. The ITCU believes that this individual is the origin of a botnet.

The female was using a Remote Administration Tool that would remotely takeover the computers infected with the botnet virus and spy on their using the webcam. She also communicated with some of her victims through their speakers.

The hacker also posted a video on youtube of herself hacking into others computers and trying to scare them.

Users have been requested by many to take necessary precautions so that they don't become victim of such attacks.

International operation mounted to counter Beebone Botnet

A multinational task-force comprising of European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), the FBI and led by Dutch National High Tech Crime Unit was recently set up to target the Beebone (AAEH) botnet, a downloader virus that cripples a computers defenses by downloading various malwares on a PC.

Private players Intel Security, Kaspersky and Shadowserver were also present to consult on destroying the polymorphic downloader that according to sources, has affected 12000 computers till date.

The operation 'sinkholed' the botnet by recognizing the domain names and addresses of the affected parties and then rerouting traffic.

Emergency teams around the world have been put into motion to get into touch with the victims of the botnet. The number of affected parties is less in this case, but the botnet has been deemed to be very sophisticated.

The operation was successfully carried out after which Europol’s Deputy Director of Operations, Wil van Gemert, said "This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime."

"We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities."

One of the largest Android Botnet 'MisoSMS' steals messages

Security researchers from FireEye have uncovered one of the largest Android botnet which they dubbed as "MisoSMS".  The botnet is said to have been used in at least 64 spyware campaigns.

According to the report, the malware disguised as an "Android settings" application used for adminstrative tasks.

 The threat is designed to steal messages from victims and emails the messages to a Command and control(C&C) server located in china.

 the most of the infected devices are from Korea.  The cybercriminals behind this botnet logged into the server from Korea, China and few other locations in order to read the stolen messages.

FireEye said they are collaborating with the Koran law enforcement and Chinese webmail vendor in a effort to disrupt this botnet.

'Advanced Power' botnet attempts to hack website using victim's machine

S ecurity researcher Brian Krebs has discovered a new Botnet that tests websites for vulnerabilities using the infected machines. 

The malware disguise itself as a legitimate Firefox add on called "Microsoft .NET Framework Assistant" is apparently using the infected machines to find SQL Injection vulnerability in any website visited by the victim.

Once the malware determine the list of vulnerable website, the cyber criminals behind the botnet will be able to exploit the vulnerability to inject malicious codes in the websites.  So, it will probably help the attacker to increase the number of infected websites and systems.

Advanced Power test SQL Injection vulnerability

The malware also capable of stealing sensitive information.  However, the feature is not appeared to be activated on infected systems.

Alex Holden, chief information security officer at Hold Security LLC, analyzed the malware and believes the malware authors are from Czech Republic, based on the text string available in the threat.

Researcher says more than 12,500 systems have been infected by this malware and helped to discover at least 1,800 web pages vulnerable to SQL Injection.

Update:
In an email, a Mozilla spokesperson told EHN that "they have disabled the fraudulent 'Microsoft .NET Framework Assistant' add-on used by 'Advanced Power' as part of its attack. You should always be careful with anything you download. It's a good idea to use many layers of protection, including antivirus software to stop malware."

Chameleon Botnet steals $6M per month from advertisers with fake ad clicks


Security Researchers from Spider.io have discovered a new Botnet named as "Chameleon Botnet" that steals millions of dollars from advertisers by generating fake ad clicks.

The Spider.io claims the "Chameleon" botnet operates from 120,000 infected host machines - 95% of these affected PCs are using US-based IP addresses.

The firm has observed the botnets targeting at least 202 websites, hitting them with 9 billion ad impressions.

"Each bot often masquerades as several concurrent website visitors, each visiting multiple pages across multiple websites." The report reads.

PokerAgent Botnet steals more than 16k Facebook account credentials

A Botnet called "Poker Agent" identified about a year ago, which designed to steal Facebook account credentials, also stealing payment information linked to Facebook account and Zynga Poker.

According to the ESET analysis, the threat was mostly active in Israel. 800 computers were infected, over 16,000 Facebook credentials stolen.

Once the malware infect a system, it gets commands from remote C&C Server to log into Facebook accounts and collects the information including Zynga Poker Stats and Number of payment methods (i.e. credit cards) saved in the Facebook account.


The Trojan publish phishing link in the victims' wall in order to compromise more Facebook accounts credentials.

The Cybercriminals seemed to have ceased actively spreading the Trojan mid-February 2012. Israeli CERT and law enforcement have been notified and an investigation has been launched. Facebook has also been notified and has taken preventive measures to thwart future attacks on the hijacked accounts.

Cyber Criminal sentenced to 30 months for Botnet that hit 72k PCs

botnet

A Hacker was sentenced a 30 months in prison for creating botnet that infected 72,000 computers and selling access to them.

Joshua Schichtel, 30-year-old ,from Phoenix Arizona , sold access to “botnets,” which are networks of computers that have been infected with a malicious computer program that allows unauthorized users to control infected computers.

"Individuals who wanted to infect computers with various different types of malicious software (malware) would contact Schichtel and pay him to install, or have installed, malware on the computers that comprised those botnets." The U.S. Department of Justice report reads.


Schichtel pleaded guilty to causing software to be installed on approximately 72,000 computers on behalf of a customer who paid him US$1,500 for use of the botnet.

Dutch Authorities take down C&C servers used by Grum Botnet


Dutch Authorities did a great job by taking down two of the command and control(C&C) servers belong to  the world's largest spam botnet ,Grum. This is not complete victory, as there are still two other C&C servers at work, but researchers are optimistic that the volume of spam will drop as a result.

Last week, FireEye published the details on four C&C servers, actively controlling the Grum botnet.Two of the servers were in the Netherlands, one is in Russia and the other in Panama.

Now, Dutch authorities take down the two Secondary C&C servers located in the Netherlands.  The master CnC servers located in Panama and Russia are still alive.

"These two CnC servers were responsible for pumping spam instructions to their zombies. With these two servers offline, the spam template inside Grum's memory will soon time out and the zombies will try to fetch new instructions but will not able to find them," FireEye’s Atif Mushtaq wrote.

“Ideally this should stop these bots from sending more spam. I am sure the absence of the spam sent by the world's third largest spam botnet will have a significant impact on the global volume.”

Biggest banking Trojan Botnet suspect arrested by Russian Authorities


Russian police authorities arrested 22-year-old hacker, who is allegedly responsible for comprising more than 4.5 million computers – making it the largest publicly known botnet to date.

According to Russia’s Interior Ministry, the hacker used banking trojans to steal 150 million roubles($4.5 million or 3.6 million EUR), from private individuals and organisations.

The young man was known as "Hermes" and "Arashi" in online communities and apparently used variants of Carberp and similar trojans to commit the crimes. The trojan stole users' access credentials and used them to transfer money to bogus companies. Helpers then withdrew the stolen money from cash points. Most of the victims were Russian nationals.

This is the biggest banking Trojan botnet ever to be uncovered in Russia, according to reports, and one of the biggest in the world. Every day, the botnet operator would attempt to install malware on around 1 million computers, which meant that on some days, around 100,000 computers would join the network.

The authorities say that the arrest of "Hermes" and other members of his hacker group was carried out with the assistance of anti-virus company Dr. Web. Most of the accomplices lived in Moscow and St. Petersburg while "Hermes" was arrested in Southern Russia according to the reports.

THOR , New P2P Botnet in development and soon available for sale

 The development of new botnet THOR(a decentralized P2P botnet) is nearing completion and will soon be available for sale for $8000 on various underground hacking forums.  THOR is coded in C/C++ and developed by TheGrimReap3r.

THOR Works on Win 2000+, Win XP SP0/SP1/SP2/SP3, Win Vista SP0/SP1/SP2, Win 7 SP0/SP1  and Support x86 and x64 systems

"The botnet itself has no central command point, so it will be very difficult to shut down, also, very difficult to track where commands are coming from, because all the nodes pass them on. So there is no chance that it will be tracked down in the nearest future." Developer wrote in the HF.

THOS Uses DLL injection, IAT hooking, ring3 rootkit amongst other things to hide.It have it's own module system so you can write your own modules with our easy API system.  - Custom modules can be arranged on request for a fair price.

peer to peer communication uses 256-AES encryption with random key generation at each startup. 8192-bit RSA will be used for instruction signing(the NSA recommends 2048-bit).

The developer set the price as $8000 for the package without modules, module pricing have not been set yet due to that they are not completed. And the expected modules that you can buy will be, advanced botkiller, DDoS, formgrabber, keylogger/password stealer and mass mailer.

Kelihos/Hlux botnet comeback with new Techniques


Microsoft and Kaspersky Lab took down the Kelihos botnet last September using "sinkholing" method, but Kaspersky Lab reports that Kelihos botnet comeback with a new avatar.

The earlier version of Kelihos botnet has reportedly infected more than 41,000 computers around the world, not as large as Rustock botnet, but it was capable of sending 3.8 billion spam mails per day.

Recently, Kaspersky Lab come across a new samples of Kelihos botnet, come with a new techniques.  This new variant use the updated Encryption key method and algorithms.

After investigating the malware samples, Kaspersky lab come to the following conclusion: "It is impossible to neutralize a botnet by taking control over the controller machines or substituting the controller list without any additional actions. The botnet master might know the list of active router IPs, can connect to them directly and push the bot update again along with the new controllers list. "

"We believe that the most effective method to disable a botnet is finding the people who are behind it. Let’s hope that Microsoft will carry out its investigation to the end." Kaspersky Lab says.