Tag: botnet

Hackers take an entire country offline

li-areaHackers have managed to take an entire country offline, which even it is a small one, is showing the power of a denial of service attack.

The Mirai botnet was tuned to attack Liberia in Africa and chucked more than 1.1Tbps at the small country,  Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen.

One transit provider said the attacks were over 500Gbps in size. Beaumont said that given the volume of traffic, it “appears to be the owned by the actor which attacked Dyn”.

Liberia has a basic and spotty internet coverage, which has a single fiber internet cable off its shores providing internet to the country. Just six percent of the country has an internet connection, according to official statistics. Most residents with an internet connection used satellite technology to get online until the arrival of the ACE fibre cable in 2011 along the west African coast, which provides a capacity of up to 5.1Tbps of data and is divided up to serve the entire coast.

“The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state,” said Beaumont.

It is not clear why anyone would want to attack Liberia, some security experts think that it is being used as a testing ground for new cyberweapons.


DDoS attacks getting bigger, more frequent

The frequency and power of DDoS has skyrocketed over the past few months and the first quarter of 2013 will go down in history as the worst quarter for DDoS attacks in history. 

According to data from Prolexic (PDF),  Q1 was a “landmark quarter” for DDoS attacks. The outfit described the volume of attacks as “remarkable,” with more bandwidth and sophistication. Average attack bandwidth was up 718 percent from the last quarter. It went from 5.9Gbps to a staggering 48.2Gbps in the space of just three months.

“Average packet-per-second rate and average bit rate spiked in the first quarter and both are growing at a fast clip,” Prolexic said. “This indicates that advanced malicious actors have become more adept at harnessing the power of large DDoS botnets. Furthermore, it indicates that the malicious groups behind these large-scale attacks are becoming more organized and are coordinating with different veteran crime organizations.”

The vast majority of DDoS attacks originate from small, independent actors and they tend to top out at about 1Gbps. However, 50Gbps is more than enough to bring down huge organisations, such as banks, and cause headaches for even the biggest players. The recent spike in bandwidth means that more low-skilled actors could be able to execute serious attacks. 

Worse, at this point nobody seems to be taking these DDoS kids seriously. Small DDoS attacks are viewed as a nuisance and there are simply too many of them to investigate and nab the perpetrators. As the number of botnets and the bandwidth are growing at an alarming pace, they could cause a lot more damage while staying under the radar. 

Microsoft and Symantec strangle botnet

Microsoft and Symantec have disrupted a global cybercrime operation by shutting down servers that controlled the Bamital botnet.

According to the Microsoft bog, the move made it temporarily impossible for infected PCs around the world to search the web, and both companies offered free tools to clean machines through messages that were automatically pushed out to infected computers.

Using a court order, corporate techies from both outfits raided data centres in Weehawken, New Jersey, and Manassas, Virginia, accompanied by US federal marshals.

Richard Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit, said that the techies took control of one server at the New Jersey facility and persuaded the operators of the Virginia data centre to take down a server at their parent company in the Netherlands.

Microsoft and Symantec estimate there are between 300,000 and a million PCs infected with malicious Bamital software.

Bamital hijacked search results and engaged in other schemes that the companies said fraudulently charge businesses for online advertisement clicks.

Its owners could take control of infected PCs, installing other types of computer viruses that could engage in identity theft, recruit PCs into networks that attack websites.

Now that the servers have been shut down, users of infected PCs will be directed to a site informing them that their machines are infected with malicious software when they attempt to search the web.

This is the sixth time that Microsoft has obtained a court order to disrupt a botnet since 2010 this one was a little smaller than its previous take downs.

Symantec approached Microsoft about a year ago, asking the maker of Windows software to collaborate in trying to take down the Bamital operation. Once the servers can be analysed it will learn more about the size of the operation.

It was believed that the ringleaders were scattered all over the world. Some of the people behind it are believed to be from Russia, Romania, Britain, the United States and Australia. They registered the servers using bogus names.

Bamital redirected search results from Google, Yahoo and Microsoft’s Bing search engines to sites with which the authors of the botnet have financial relationships. 

McAfee: Malware at highest level for four years

Malware attacks are at the highest level for four years according to a McAfee report, with a malicious code writers finding new ways to attack mobile devices.

The Intel owned security company today revealed the results of its quarterly Threats Report, highlighting a 1.5 million increase in malware since the first quarter of 2012.  

McAfee Labs’ 500 researchers uncovered almost 100,000 malware samples each day, as attacks became more varied.

“Attacks that we’ve traditionally seen PCs are now making their way to other devices,” Vincent Weafer, senior vice president of McAfee Labs. said.  

This included Apple’s Mac devices targeted by the Flashback trojan, for example, as well as the ‘Find and Call’ malware worming its way into the Apple Store.

Also, attacks on mobile devices continued to increase after an explosion of mobile malware in the first quarter, according to McAfee. Nearly all of the new instances of malware were directed towards the Android operating system – including mobile botnets, spyware and SMS-sending malware.

Ransomware, malware which restricts access to a device until money is given to the attacker, was also on the increase, and is becoming a popular tool for cybercriminals. Instances of ransomware, typically targeting PCs, have increased with attacks favouring mobile devices.

Cyber criminals have also found new ways to control botnets to ensure anonymity, such as using Twitter.  Botnets, computer networks of infected machines used to send spam or to launch distributed denial of service (DDOS) attacks, are now being controlled through the social media site, with attackers tweeting commands to all infected devices. Overall instances of botnet infections reached a 12 month high during the quarter.

Malware being spread through USB thumb drives showed significant increases, with 1.2 million new samples of the AutoRun worm.  Password stealing  malware samples also increased by 1.6 million. 

Security alliance kills Grum botnet

A botnet which has sent out millions of spam messages daily for months has been killed off thanks to a collaborative effort from security experts in the US, Britain and Russia.

Atif Mushtaq of the California security firm FireEye said that Grum botnet “has finally been knocked down”.

Writing in his bog, Mushtaq said the shutdown was a joint effort of his group with the British-based Spamhaus Project, a nonprofit group, and the Russian-based Computer Security Incident Response Team known as CERT-GIB.

All the known command and control servers are dead, leaving their zombie orphaned.

Researchers also shut down servers in the Netherlands and later in Panama, where “pressure applied by the community” caused the hosting firm to shut it down.

The spam operation moved to new servers in Ukraine after the ones in Panama were closed with the help of Spamhaus, CERT-GIB and an “anonymous researcher” all six new servers in Ukraine and the original Russian server were dead.

Apparently the shutdown was made by the “upstream provider” at the request of the security companies.

The botnets used 120,000 infected “zombie” computers to send out spam each day. Currently only 21,000 of them are functioning at all. Once the spam templates expire then the spam will die off.

The collaborative effort to take down Grum sends a “strong message to all the spammers” that the days of building a botnet to send out spam will come to an end. If previous safe places like the Ukraine are not able to be used any more, then the spammers will have to come up with a new model. Otherwise they will spend a lot of time setting up a botnet only to see it shut. 

Google denies Android botnet claim

Google has denied Microsoft’s allegations that an Android botnet has been created and it is sending out spam.

The claim came earlier this week from Microsoft engineer Terry Zink who said he discovered Android devices were being used to send spam as part of an international Android spam botnet.

Google got on the blower to ZDnet and denied it all. A Google spokesperson said that analysis suggests spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they’re using.

True, the spam does say “Sent from Yahoo! Mail on Android” and Sophos thinks that they appear to originate from compromised Google Android smartphones or tablets.

Of course a compromised PC connected to Yahoo Mail could insert the message-ID, overriding Yahoo’s own Message-IDs and added the “Yahoo Mail for Android” tagline at the bottom of the message all in a deception to make it look like the spam was coming from Android devices.

It would be interesting to see Google’s evidence, but so far it has not been forthcoming. 

Armenians jail Bredolab botnet creator

The creator of the Bredolab malware has been jailed for four years. 

Georgy Avanesov used his botnet to launch DDoS attacks that damaged multiple computer systems.

The Office of Armenia’s Prosecutor General said Avanesov is a 27-year-old Russian citizen of Armenian descent.

He was arrested in October 2010 at Zvartnots airport in Yerevan, Armenia, a day after the Dutch High Tech Crime Unit disrupted the Bredolab botnet and seized 143 servers that were used to control it, Computerworld reports.

Avanesov used his botnet to send spam emails and launch DDoS attacks. At its height it had 30 million computers recruited.

Avanesov admitted having created the Bredolab malware, but claimed that he passed it on to an unknown individual without knowledge of the latter’s criminal intentions.

He would have faced a charge of altering information stored on a computer system through means of unauthorised access, stealing computer data, creating hacking software with the intention of selling it and distributing malicious software.

But the charges were dropped because of a decree of “General Amnesty on the Occasion of the 20th Anniversary of the Independence Declaration of the Republic of Armenia”.

Avanesov was found guilty of controlling an attack on a Russian teleco company called Macomnet.

He told a quarter of his botnet to hit a Macomnet IP address, which resulted in damage to the company’s networking equipment and service downtime for around 192 of its customers, the Prosecutor’s General Office said. 

600,000 Macs compromised by Flashback botnet

Apple users will be suffering a crisis of faith, as it was revealed its faith-based security system failed to prevent over 600,000 Macs around the world from being compromised by the Flashback Trojan.

Flashback is designed to steal personal information from the hapless Mac users, who have mostly been twiddling their thumbs, satisfied with the impenetrable fortress of security that Apple’s machines are, for some reason, perceived to be. It worms its way onto OS X machines and requests administrator passwords – if a user hands that over, the trojan will install itself into the machine and comb for personal details.

Russian antivirus company Dr. Web first reported that 550,000 Macs around the world had been compromised by the creeping botnet. Later on, CNET reports, one of its analysts said that the figure was more likely to be around 600,000.  That included 274 bots discovered in Apple’s stamping ground, Cupertino.

The botnet originally disguised itself as a Flash plug-in. New variants have been popping up since, as it started exploiting a range of Java vulnerabilities to target Macs.

Apple has now released a patch that should squash the vulnerability. Whether or not Apple users will rush to protect their machines is another matter. Earlier this week, Sophos‘ Graham Cluley urged users to be vigilant. There had been a “flood of Mac malware activity” against users in mid-2011, with a steady stream since.

Users were encouraged to consider that many cyber attacks are not specifically technical, but rely on social engineering and human folly.

Apple fans would be “foolhardy” not to protect their Macs with anti-virus software and to keep it updated, Cluley said. “Especially as there are free Mac anti-virus options available, you really have nothing to lose”.

Kelihos botnet brought to its knees

The Kelihos spamming botnet has been sidelined by using a filesharing mechanism to basically hijack it.

Kelihos spent its days distributing spam for dodgy Canadian pharmaceutical firms. When it was not peddling viagra it was pinching from bitcoin wallets.

CrowdStrike, the security firm that worked with Kaspersky, Dell SecureWorks, and Honeynet Project to bring down the botnet, reverse-engineered the malware code and wrote its own software to ask infected computers to communicate with servers controlled by researchers and coppers.

This stopped the computers from getting instructions for sending spam.

Within minutes, 110,000 infected machines were being sent to the researcher’s sinkhole.

Adam Meyers, director of intelligence at CrowdStrike, told CNET   it was cool being able to use an attribute of the botnet – the peer-to-peer networking – to bring it down.

The company injected its code into the botnet by sending it to infected computers that, in turn, sent it on to others in a viral distribution manner. Eventually the new code overtakes the network and the bad guys are run out of town.

Kelihos was created last October after Microsoft used a sinkhole to halt the original Kelihos botnet, which had infected about 41,000 computers. New Kelihos servers were registered in Sweden, Russia and Ukraine.

It has been abandoned by the gang who tried to operate it two days after the researchers began hijacking it, the company said. 

Microsoft takes on Zeus botnets

Microsoft has continued its war on the King of the Botnets, Zeus, by seizing command and control servers under something it has dubbed Operation b71.

Richard Domingues Boscovich, who is the Senior Attorney of Microsoft’s Digital Crimes Unit wrote from his bog that Redmond has been doing a lot of research into the worst known Zeus botnets and asking the courts to give it a good kicking.

He said that cybercriminals had built hundreds of botnets using variants of Zeus malware. Operation b71 was focused on botnets using Zeus, SpyEye and Ice-IX which makes up the new Oympus of the Zeus family.

Boscovich said that there were some problems with the complexity of these particular targets which meant that, unlike Microsoft’s previous botnet takedown operations, it did not permanently shut them down.

He said the idea was to strategically disrupt operations to limit the threat in order to cause long-term damage to the cybercriminals that use the botnets to make cash.

Zeus malware uses a tactic called keylogging, which records a person’s every computer keystroke to monitor online activity and gain access to usernames and passwords in order to steal victims’ identities.

Microsoft detected more than 13 million suspected infections of Zeus worldwide, with more than 3 million in the United States.

Microsoft filed a suit on 19 March 2012, asking the court for permission to cut the command and control of the Zeus botnets. Redmond used the Lanham Act in order to physically seize servers from hosting providers and preserve evidence. It also used the Racketeer Influenced and Corrupt Organizations (RICO) Act which is normally used for mobsters.

Boscovich said he did not expect to have wiped out every Zeus botnet operating in the world. However, it had disrupted some of the most harmful botnets, and he expected it will harm the cybercriminal underground for quite some time.