Back in November there was a considerable drop in Spam when Spam friendly ISP McColo was cut off from the Internet by it’s upstream peer.

Srizbi worm was pretty smart though and was picking up again by the end of November. Later in the year the botnets were somewhat neutralised leading to a huge drop in spam.

But now, they are back – re-engineered – and ready to spam without going down again.

The demise late last year of four of the world’s biggest spam botnets was good news for anyone with an email inbox, as spam levels were cut in half – almost overnight. But the vacuum has created opportunities for a new breed of bots, some of which could be much tougher to bring down, several security experts are warning.

New botnets with names like Waledac and Xarvester are filling the void left by the dismantling of Storm and the impairment of Bobax, Rustock, and Srizbi, these researchers say. The new breed of botnets – massive networks of infected Windows machines that spammers use to blast out billions of junk messages – sport some new designs that may make them more immune to current take-down tactics.

Waledac is a good example. It appears to be a complete revision of Storm, that includes the same state-of-the-art peer-to-peer technology and fast-flux hosting found in its predecessor, according to researcher Joe Stewart of Atlanta-based security provider SecureWorks. But it differs from Storm in one significant way: Weak encryption protocols, which proved to be an Achilles Heel that led to its downfall, have been completely revamped

That’s one problem with attacking these botnets and the malware behind them, the people doing it aren’t kids having fun. They are business syndicates making serious money, so whatever you do – they are going to learn from it and adapt their software and methods to circumnavigate it.

That’s what seems to be happening now with Waledac, a new re-engineered version of Storm with stronger encryption protocols. They learnt from their mistakes and released a new, updated and more powerful version.

What amazes me is that in the Xarvester malware, it actually makes use of the Windows crash reports – sending them to the developers to make the bot more stable!

“Several researchers are actively studying the communications, but I don’t know if and when it will be broken and hijackable,” said Jose Nazario, a security researcher at Arbor Networks. “The guys behind the botnet seems intent on staying up and so evading researchers seems like the most appropriate thing to do.”

Waledac has amassed some 10,000 zombie computers so far, a tiny fraction of the bigger botnets. But Stewart expects it to be a major player in the coming months. Meanwhile, a spam botnet called Xarvester is making similar inroads. It is the world’s third-biggest spammer, accounting for over 13 percent of the world’s spam, according to Marshall. What’s more, its uncanny resemblance to Srizbi has sparked suspicions it is a reincarnation of that notorious botnet. Similarities include an HTTP-based command and control center that uses non-standard ports, encrypted template files used to send spam and configuration files with the common formats and data.

It also has a sophisticated feedback system that helps bot developers squash bugs so the software is harder to detect on a victim’s machine.

“Just like Srizbi, Xarvester has the ability to upload the Windows minidump crash dump file to a control server in the event that the bot crashes a system,” according to this analysis from Marshall. “This is presumably to help the botnet controllers debug their bot software.”

It seems like Xarvester has some uncanny resembelances to Srizbi too, so maybe it’s a new updated release from the same group which fixes the flaws that made Srizbi fail in the long term.

The infection rates for these bots are quite low currently, but due to the new measures the developers have taken they are likely to gain many more infections and be much harder to remove/detect and stop.

Source: The Register

After McColo was partially disconnected from the Internet by it’s peers global spam dropped noticeably.

It seems however that the spam was emanating from a zombie network and the control servers were hosted by McColo, the creators of the botnet (Srizbi) were smart about it though and built a fail-safe system into the the malware.

It should be expected that spam will return to normal levels within a week or so.

On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers.

Turns out, Srizbi’s authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates.

With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there.

It seems to be a pretty advanced piece of malware, it acts as a rootkit so it’s hard to remove, it’s has a Python mailing component which allows 3rd party access – this makes it very probably the botnet is ‘rented’ out to spam houses. It also pretty powerful on the network level as it can directly attach NDIS and TCP/IP drivers to its own process to hide network traffic it generates.

Some claim Srizbi is the largest botnet and is responsible for over half of the spam being produced globally, so this is a worrying turn of events.

According to FireEye, a security company in Milpitas, Calif., that has closely tracked the botnet’s actviity, a number of those rescue domains were registered Tuesday evening, apparenly directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia.

FireEye senior security researcher Alex Lanstein said he fully expects spam volumes to recover to their pre-Nov. 11 levels within a couple of days.

“Srizbi was the spam king,” Lanstein said. “And now it’s back.”

Seen as though the main activity is happening in Eastern Europe it seems unlikely anyone will be able to stop it and due to the very nature of botnets (completely distributed) IP blacklisting is futile as the mail could be coming from anywhere.

Anyhow it’ll be an interesting story to watch and I hope there are some new developments in taking these botnets out.

Source: Security Fix

Apparently he stopped his naughty activities back in 2006, but still…a guy that is supposed to securing machines was installing malware and had a bot totaling about a quarter of a million zombies.

Most used for info gathering, Paypal accounts and installing Malware for comission, he claims to have made $19,000 in a week installing TopConverting (read more).

A Los Angeles security professional has admitted to infecting more than a quarter million computers with malicious software and installing spyware that was used to steal personal data and serve victims with online advertisements.

John Kenneth Schiefer, 26, variously known online as “acid” and “acidstorm,” agreed to plead guilty to at least four felony charges of fraud and wiretapping, charges punishable by $1.75 million in fines and nearly 60 years in prison.

Investigators say Schiefer and two minors — identified in the complaint only by their online screen names “pr1me” and “dynamic” — broke into about 250,000 PCs. On at least 137,000 of those infected systems, Schiefer and his cohorts installed programs that allowed them to control the machines remotely.

That’s a pretty reasonable sized network, enough to rent out for some serious DDoS attacks, and certainly enough Paypal accounts to earn some good money.

Schiefer said he and his friends spread the bot programs mainly over AOL Instant Messenger (AIM). By using malicious “spreader” programs such as Niteaim and AIM Exploiter, Schiefer and his co-conspirators spammed out messages inviting recipients to click on a link. Anyone who took the bait had a “Trojan horse” program downloaded to their machine, an invader that then tried to fetch the malicious bot program.

Schiefer admits he and friends used several hjacked PayPal accounts to purchase Web hosting that helped facilitate the spreading of their bot programs.

Pretty lame, but most of the infections were done with pre-built AIM tools. This is ultimate script kiddy stuff, but hey I guess it works right.

Source: Washington Post

An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections.

Is it ethical? Should they be doing this to their users?

I first got wind of this from a post on Full Disclosure mailing list from an IRC network administrator.

You can read that e-mail here:

Major ISPs arbitrarily blocking IRC and hijacking DNS entries

Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels and redirecting them to a server that attempts to remove spyware from the computer. By doing so the company seems to be attempting to cleanse computers of malware that hijacks the computers resources to send spam and participate in online service attacks as part of a large network of compromised computers known as a botnet.

Specifically, Cox’s DNS server is responding to a domain name request for an Internet Relay Chat server. Instead of responding with the correct IP address for the server, Cox sends the IP address of its own IRC server (70.168.70.4). That server then sends commands to the computer that attempt to remove malware.

They seem to run some kind of script when the user connects to try and ‘clean’ the machine from infection….even if it’s not infected.

IRC is still used heavily, I don’t really use it much anymore apart from Freenode. The Darknet channel used to be on DALnet back in the day.

Freenode is pretty happening for open source projects though.

Though clever, the tactic is being heavily debated by networking experts on the NANOG mailing list, some of whom question the effectiveness of the technique and who question whether blocking access to the channels for all users (by breaking the DNS protocol) in order to stop some malware is the appropriate solution. Cox does not seem to be blocking all IRC channels, but anyone trying to reach those channels using Cox’s DNS servers will be unable to reach them.

IRC channels are heavily used by programmers, non-traditional communities and black-hat hackers, among others. The malware-infected zombie computers Cox is attempting to clean can also be controlled remotely by having them connect to an IRC channel where they get instructions from their controller.

Interesting stuff eh?

I’m not really sure where I stand ethically on this…what about you?

Source: Wired Blog

I have noticed an increase in Spam activity lately, especially in Spam blog comments there has been a noticeable surge in the frequency and number.

That’s why we’ve implemented stricter measures against spammers on Darknet and our other sites.

It seems there has been a big raise in the number of bot infected systems, so it’s suggested you ramp up your anti-spam filters and get ready for the onslaught.

The number of compromised computers that are part of a centrally controlled bot net has tripled in the past two weeks, according to data gathered by the Shadowserver Foundation, a bot-net takedown group.

The weekly tally of bot-infected PCs tracked by the group rose to nearly 1.2 million this week, up from less than 400,000 infected machines two weeks ago. The surge reversed a sudden drop in infected systems–from 500,000 to less than 400,000–last December.

A pretty big change in the numbers.

The threat to Internet users from bot nets has steadily increased over the past few years. Increasingly, computer systems in China have become infected with bot software and used to attack or spam other targets, according to the latest Internet Security Threat Report published by Symantec, the owner of SecurityFocus. Spammers have taken a shine to bot nets as a way to reliably send stock-touting e-mail campaigns and other mass mailings of junk advertisements. Worms are rapidly being replaced by Trojan horse programs, such as the misnamed Storm Worm, that use a bot net to spam out more copies of the malicious code.

As far as I know the stats are collected by Shadowserver, the guys who are battling the botnets.

Wonder how many of these hosts are Linux based machines, I guess not many.

Source: Security Focus

Well at least it shows the Internet is not very susceptible to such attacks due to its distributed nature, even if the root nameservers are down, the DNS system still functions.

This was a pretty heavy attack though and the most significant in the past 5 years or so, someone testing their ego I guess.

I CAN H4XOR YOUR INTERWEBNETS!

The attack, which began Tuesday at about 5:30 a.m. Eastern time, was the most significant attack against the root servers since an October 2002 distributed denial of service (DDOS) attack, said Ben Petro, senior vice president of services with Internet service provider Neustar. Root servers manage the Internet’s Domain Name System (DNS), used to translate Web addresses such as Amazon.com into the numerical IP addresses used by machines.

Thankfully the Internet didn’t crash, if it did I’d be very sad!

“Two of the root servers suffered badly, although they did not completely crash; some of the others also saw heavy traffic,” said John Crain, chief technical officer with the Internet Corporation for Assigned Names and Numbers (ICANN), in an e-mail interview

The two hardest-hit servers are maintained by the U.S. Department of Defense and ICANN, he added.

The botnet briefly overwhelmed these servers with useless requests, causing them to occasionally hang, but did not disrupt Internet service, Petro said. By 10:30 a.m., Internet service providers were able to filter enough of the traffic from the botnet machines that traffic to and from the root servers was essentially back to normal.

It seems the attack wasn’t that strong and they managed to filter it out, it was in terms of MB rather than GB frequently seen in modern DDoS attacks.

It was just very focused, targeting only the root servers.

Source: Network World

It’s a scary thought to find out perhaps a quarter of Internet connected machines could be zombies…The sad part is, I think it could well be true, as most of the non tech savvy Internet users I know still use Internet Exploder and their machines are riddled with crapware, trojans, viruses and spyware.

Imagine how many Internet enabled PC’s there are…

Criminals controlling millions of personal computers are threatening the internet’s future, experts have warned.

Up to a quarter of computers on the net may be used by cyber criminals in so-called botnets, said Vint Cerf, one of the fathers of the internet.

Technology writer John Markoff said: “It’s as bad as you can imagine, it puts the whole internet at risk.”

The panel of leading experts was discussing the future of the internet at the World Economic Forum in Davos.

The Internet was not built to be resilient to such things, there’s an inherent problem with the Internet and the level of education and awareness of the average Internet user.

Before AOL there was a certain intellectual barrier to getting online, it wasn’t that straight forwards and required a little bit of grey matter.

Now it’s SO easy to get online….the average intelligence of Internet users has dropped dramatically.

Mr Cerf, who is one of the co-developers of the TCP/IP standard that underlies all internet traffic and now works for Google, likened the spread of botnets to a “pandemic”.

Of the 600 million computers currently on the internet, between 100 and 150 million were already part of these botnets, Mr Cerf said

Botnets are made up of large numbers of computers that malicious hackers have brought under their control after infecting them with so-called Trojan virus programs.

And yes, you guessed it…one of the main problems is our good friend Microsoft and their lovely secure Windows.

Plus on top of that, the proliferation of pirated copies of Windows, pressed pirated CD’s of Windows Vista are already available in China and probably other places like Malaysia and Thailand too.

A shocking 50% of these pirated versions come with Trojans pre-installed.

Operating systems like Microsoft Windows, meanwhile, still made it too easy for criminals to infiltrate them, the experts said.

Microsoft had done a good job improving security for its latest operating system, Windows Vista, said Mr Markoff.

But already pirated copies of Vista were circulating in China, even though the consumer launch of Vista has been scheduled for next Tuesday.

Experience showed that about 50% of all pirated Windows programs came with Trojans pre-installed on them, Mr Markoff said.

Ah what to do, just protect yourself and educate those you can be bothered to listen you.

We’ll just let the rest of the world screw themselves up.

Source: BBC News

There’s been a lot of nice Web relevant testing and hacking tools coming out lately, I’ve gotten quite a collection to post about, so do try them out and let me know what you think.

BeEF is the browser exploitation framework. Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting issues in real-time. The modular structure has focused on making module development a trivial process with the intelligence existing within BeEF.

The current version is 0.2.1 and is still a work in progress.

Modules Loaded

The ‘Load Modules’ area shows what modules are available. Clicking on them will load the module into the module console area. The modules are the parts of the application that provide code to be sent to the controlled browser. One of the main strengths of BeEF is the ease in with modules can be written. The require minimal effort to incorporate into the framework.

The module console area shows the modules input and configuration details. The following screenshot show the input options for the Port Scanning Module.

Zombies

The ‘Zombies’ section of the sidebar displays basic details of the browser(s) under control of BeEF. All modules will execute within the zombies listed here.

Download

You can download BeEF here:

beef-v0.3.1.tgz (md5sum: 8e160e72c7b9f1c292b5894d6b8d672c)