Skip navigation
Help

botnet

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.
Original author: 
Sean Gallagher

Over a year after the arrest of eight of its members in Russia, the alleged leader of the original Carberp botnet ring that stole millions from bank accounts worldwide has been arrested, along with about 20 other members of the ring who served as its malware development team. The arrests, reported by the news site Kommersant Ukraine, were a collaboration between Russian and Ukrainian security forces. The alleged ringleader, an unnamed 28-year-old Russian citizen, and the others were living throughout Ukraine.

Initially launched in 2010, Carberp primarily targeted the customers of Russian and Ukrainian banks and was novel in the way it doctored Java code used in banking apps to commit its fraud. Spread by the ring through malware planted on popular Russian websites, the Carberp trojan was used to distribute targeted malware that modifies the bytecode in BIFIT's iBank 2 e-banking application, a popular online banking tool used by over 800 Russian banks, according to Aleksandr Matrosov, senior malware researcher at ESET. The botnet that spread the malware, which was a variant of the Zeus botnet framework, also was used to launch distributed denial of service attacks.

In February of 2011 the group put its malware on the market, selling it to would-be cybercriminals for $10,000 per kit—but it pulled the kit a few months later.

Read 1 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Sean Gallagher


The Evernote interface for Chinese users—and the gateway to commands for a very sneaky backdoor.

Your average workaday botnet uses a command and control server to give the malware bots on infected PCs their marching orders. But as network security tools begin to block traffic to suspicious domains, some enterprising hackers are turning to communications tools less likely to be blocked by corporate firewalls, using consumer services to deliver their bidding to their digital minions. Today, security researchers at Trend Micro revealed the latest case of the consumerization of botnet IT: malware that uses an Evernote account to communicate.

The backdoor malware, designated as VERNOT.A by Trend Micro, is delivered via an executable file that installs the malware as a dynamic-link library. The installer then ties the DLL into a legitimate running process, hiding it from casual detection. Once up and running, the backdoor starts to collect information about the system it has made its home—the computer's name, the person and organization identified as its registered owners, the operating system version, and its timezone. Then it connects to Evernote—specifically the Chinese interface to the Evernote service—to fetch information from notes saved in an account, including commands to download, run, and rename files on its host system.

According to a blog post by Trend Micro Threat Response Engineer Nikko Tamaña, the backdoor may have also used Evernote as a location to upload stolen data. Fortunately (or unfortunately, depending on how you look at it), the account that was hard-coded into the backdoor's channel to home had already been shut down—ironically, because its password was reset after Evernote's recent security breach.

Read 2 remaining paragraphs | Comments

0
Your rating: None

angry tapir writes "Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7. The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins — a type of virtual currency — using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones. However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol."

Share on Google+

Read more of this story at Slashdot.

0
Your rating: None



The recent resurgence of the Hlux/Kelihos botnet, taken down last week by a team of security companies, demonstrates how hard it is to detect and permanently shut down the latest generation of botnets. And the arms race to counter botnets is only going to escalate further now that the sort of peer-to-peer technology used in Kelihos has become commoditized in Zeus, a botnet "platform" at the center of a thriving criminal software ecosystem.

Last week, Microsoft and its partners were able to take down a collection of Zeus botnets infecting more than 13 million PCs by seizing associated servers and domain names then disrupting their command and control (C&C) network. But those botnets were built using an older set of Zeus binaries. A newer version of the software incorporates peer-to-peer networking technology in a way that eliminates the need for a C&C server, rendering botnets immune to that sort of decapitating strike.

"The takedowns we saw (by Microsoft) will become less and less possible as people move their botnets from client-server architectures to peer-to-peer," said Wade Williamson, senior product manager at Palo Alto Networks.

Read the rest of this article...

Read the comments on this post

0
Your rating: None

An anonymous reader writes "Details of the tools, techniques and procedures used by the hackers behind the RSA security breach have been revealed in a research paper (PDF) published by Australian IT security company Command Five. The paper also, for the first time, explains links between the RSA hack and other major targeted attacks. This paper is a vendor-neutral must-read for any network defenders concerned by the hype surrounding 'Advanced Persistent Threats.'"


Share on Google+

Read more of this story at Slashdot.

0
Your rating: None

IncognitoRAT is the first known Java-based, cross-platform botnet. It can infect Java virtual machines on MacOS and Windows machines, as well as iPads and iPhones. Presumably, GNU/Linux machines are vulnerable, too, but this isn't mentioned in the article.

"The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs.

Once the .jar file is converted, it is executed and downloads a number of Java-based libraries that allow the attacker to remotely control the keyboard and mouse of the affected computer, to play MP3 files and videos, to record images taken by the computer's webcam, and to send stolen information to a predefined email account.

Multiplatform Java botnet spotted in the wild

(via The Command Line)

0
Your rating: None