Forgot your password?
typodupeerror

Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

Security

New Cridex Malware Copies Tactics From GameOver Zeus 18

Posted by samzenpus
from the imitation-is-the-sincerest-form-of-flattery dept.
Trailrunner7 writes The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM's X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ's penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

"There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we've witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators," Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.
Botnet

Alleged Massive Account and Password Seizure By Russian Group 126

Posted by Unknown Lamer
from the security-through-well-everyone-else-is-compromised-too dept.
New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring". Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?
The Internet

Internet Census 2012 Data Examined: Authentic, But Chaotic and Unethical 32

Posted by timothy
from the could-have-been-worse dept.
An anonymous reader writes "A team of researchers at the TU Berlin and RWTH Aachen presented an analysis of the Internet Census 2012 data set (here's the PDF) in the July edition of the ACM Sigcomm Computer Communication Review journal. After its release on March 17, 2013 by an anonymous author, the Internet Census data created an immediate media buzz, mainly due to its unethical data collection methodology that exploited default passwords to form the Carna botnet. The now published analysis suggests that the released data set is authentic and not faked, but also reveals a rather chaotic picture. The Census suffers from a number of methodological flaws and also lacks meta-data information, which renders the data unusable for many further analyses. As a result, the researchers have not been able to verify several claims that the anonymous author(s) made in the published Internet Census report. The researchers also point to similar but legal efforts measuring the Internet and remark that the illegally measured Internet Census 2012 is not only unethical but might have been overrated by the press."
Botnet

Pushdo Trojan Infects 11,000 Systems In 24 Hours 32

Posted by Unknown Lamer
from the bots-everywhere dept.
An anonymous reader writes Bitdefender has discovered that a new variant of the Trojan component, Pushdo, has emerged. 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey. Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.
Crime

Source Code Leaked For Tinba Banking Trojan 75

Posted by timothy
from the small-can-be-potent dept.
msm1267 (2804139) writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit. Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of "tiny banker," and researchers say that it's only about 20 KB in size."
Botnet

Gameover ZeuS Re-Emerges As Fast-Fluxing Botnet 62

Posted by Soulskill
from the game-not-quite-over-after-all dept.
New submitter tylke (621801) writes: "Brian Krebs is reporting that the Gameover ZeuS botnet recently taken down by the U.S. Justice Department in June has re-emerged. The new variant of the Trojan is "stripped of the P2P code, and relies instead on an approach known as fast-flux hosting," a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind a network of compromised systems. Krebs says, "[T]his variant also includes a 'domain name generation algorithm' or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters). In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there." (Disclosure: I work for Malcovery Security, the company credited with identifying the new variant.)
Microsoft

Tired of Playing Cyber Cop, Microsoft Looks For Partners In Crime Fighting 113

Posted by Soulskill
from the every-batman-needs-a-robin dept.
chicksdaddy writes: When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP. The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston, she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.
Crime

Justice Dept. Names ZeuS Trojan Author, Seizes Control of P2P "Gameover" Botnet 76

Posted by samzenpus
from the shutting-it-down dept.
tsu doh nimh (609154) writes "The U.S. Justice Department announced today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and that the botnet is responsible for more than $100 million in losses from online banking account takeovers. The government alleges that Gameover also was rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes. In a complaint unsealed today, the DOJ further alleges that ZeuS and Gameover are the brainchild of a Russian man named Evgeniy Mikhailovich Bogachev, a.k.a. 'Slavik.'"
Networking

200-400 Gbps DDoS Attacks Are Now Normal 92

Posted by Soulskill
from the distributed-denial-of-sherbet dept.
An anonymous reader writes "Brian Krebs has a followup to this week's 400 Gbps DDoS attack using NTP amplification. Krebs, as a computer security writer, has often been the target of DDoS attacks. He was also hit by a 200Gbps attack this week (apparently, from a 15-year-old in Illinois). That kind of volume would have been record-breaking only a couple of years ago, but now it's just normal. Arbor Networks says we've entered the 'hockey stick' era of DDoS attacks, as a graph of attack volume spikes sharply over the past year. CloudFlare's CEO wrote, 'Monday's DDoS proved these attacks aren't just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.' In a statement to Krebs, he added, 'We have an attack of over 100 Gbps almost every hour of every day.'"
Security

ShapeShifter: Beatable, But We'll Hear More About It 102

Posted by Soulskill
from the unknown-sample dept.
Slashdot contributor Bennett Haselton writes: "A California company called Shape Security claims that their network box can disable malware attacks, by using polymorphism to rewrite webpages before they are sent to the user's browser. Most programmers will immediately spot several ways that the system can be defeated, but it may still slow attackers down or divert them towards other targets." Read on for the rest of Bennett's thoughts.
Security

Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet 214

Posted by timothy
from the because-they-can dept.
An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."
Android

Massive Android Mobile Botnet Hijacking SMS Data 117

Posted by Soulskill
from the all-your-texts-are-belong-to-us dept.
wiredmikey writes "A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China. Researchers at FireEye lifted the curtain off the threat on Monday, describing MisoSMS as 'one of the largest advanced mobile botnets to date' and warning that it is being used in more than 60 spyware campaigns. FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages. FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts."
Botnet

Europol, Microsoft Target 2-Million Strong ZeroAccess Click Fraud Botnet 44

Posted by Soulskill
from the go-big-or-go-home dept.
tsu doh nimh writes "Authorities in Europe joined Microsoft Corp. this week in disrupting 'ZeroAccess,' a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers. KrebsOnSecurity.com writes that it remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term, but for now the PCs infected with the malware remain infected and awaiting new instructions. ZeroAccess employs a peer-to-peer architecture in which new instructions and payloads are distributed from one infected host to another. The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers, including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred. Europol has a released a statement on this action, and Microsoft has published a large number of documents related to its John Doe lawsuits intended to unmask the botnet the ZeroAccess operators and shut down the botnet."
Security

Two Million Passwords Compromised By Keylogger Virus 174

Posted by samzenpus
from the protect-ya-neck dept.
Ocean Consulting writes "CNN is reporting that over two million passwords from web service companies such as Google, Facebook, Twitter and Yahoo have been captured via a key logging virus. The story is based on information released by security firm Trustwave. The report critiques how bad people are at making secure passwords, but does mention the use of Pony Botnet Controller."
Botnet

A Mercenary Approach To Botnets 34

Posted by Soulskill
from the highest-bidder-gets-your-grandma's-bank-account dept.
CowboyRobot writes "The incentives are high for many businesses and government agencies to not be too heavy handed in combating the global botnet pandemic. There's money to be had and, with each passing day, more interesting ways are being uncovered in how to package the data, and how to employ it. It used to be that the worlds of bug hunters and malware analysts were separate and far between. In the last couple of years the ability to analyze malware samples and identify exploitable vulnerabilities in them has become very important. Given that some botnets have a bigger pool of victims than many commercial software vendors have licensed customers, the value of an exploit that grants reliable remote control of a popular malware agent is rising in value. In many ways, botnets have become a golden goose to those charged with gathering intelligence on the populations of foreign entities. The bulk of the victim's data is useful for mapping populations, communication profiles, and as egress points for counter intelligence exercises. Then, given how many botnet victims there are, the probability that a few 'interesting' computers will have succumbed along the way is similarly high — providing direct insight in to a pool of high value targets."
Security

Skydiving Accident Leaves Security Guru Cedric 'Sid' Blancher Dead At 37 332

Posted by timothy
from the regards-to-his-friends-and-family dept.
An anonymous reader points out The Register's report that Wi-Fi security expert Cédric 'Sid' Blancher has died as the result of a skydiving accident. "Among other things, the 37-year-old Blancher was a sought-after speaker on WiFi security, and in 2005 published a Python-based WiFi traffic injection tool called Wifitap. In 2006, while working for the EADS Corporate Research centre, he also put together a paper on how to exploit Skype to act as a botnet." Some of Blancher's skydiving videos are posted to Vimeo; clearly, it's something he was passionate about.
Botnet

A Live Map of Ongoing DDoS Attacks 46

Posted by Soulskill
from the all-the-traffic-you-can-eat dept.
Daniel_Stuckey writes "Check out the Digital Attack Map. It was produced in a collaborative effort by Google Ideas and Arbor Networks to raise awareness about distributed denial of service attacks. You know, those malicious digital attempts to choke, or shutdown websites by sending them volumes of traffic far too large for them to handle. The map 'surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day,' as its about page explains. Created using attack data from Arbor's 'ATLAS® global threat intelligence system,' this is the D.A.R.E. of DDoS — it's about the danger of having information streams cut off. Under the heading 'DDoS Attacks Matter,' Google and Arbor explain that 'sites covering elections are brought down to influence their outcome, media sites are attacked to censor stories, and businesses are taken offline by competitors looking for a leg up.'" This comes alongside Google's announcement of Project Shield, the company's homegrown DDoS mitigation service.
Botnet

The Hail Mary Cloud and the Lessons Learned 99

Posted by timothy
from the not-so-full-of-grace dept.
badger.foo writes "Against ridiculous odds and even after gaining some media focus, the botnet dubbed The Hail Mary Cloud apparently succeeded in staying under the radar and kept compromising Linux machines for several years. This article sums up the known facts about the botnet and suggests some practical measures to keep your servers safe."
Bitcoin

Sinkhole Sucks Brains From Wasteful Bitcoin Mining Botnet 203

Posted by Unknown Lamer
from the so-that's-why-the-computer-lit-on-fire dept.
judgecorp writes "A sinkhole has taken a quarter of the bots out of the ZeroAcess botnet which was making money for its operators through click fraud and Bitcoin mining. This particular Bitcoin mining operation was only profitable through the use of stolen electricity — according to Symantec, which operated the sinkhole, ZeroAccess was using $561,000 of electricity a day on infected PCs, to generate about $2000 worth of Bitcoin."
Security

LexisNexis and Other Major Data Brokers Hacked By ID Theft Service 99

Posted by Unknown Lamer
from the someone-forgot-to-install-rkhunter dept.
gewalker writes "Have we reached the point where it is time to admit that the ID thieves are winning and will continue to win as long as their incentives are sufficient to make it lucrative for them? According to Krebs On Security an analysis of a database pilfered from commercial identity thieves identified breaches in 25 data brokers including the heavyweights Dun and Bradstreet and LexisNexis." And they had access for months to most of them. From the article: The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called nbc.exe was placed on the servers as far back as April 10, 2013, suggesting the intruders have had access to the company’s internal networks for at least the past five months. The program was designed to open an encrypted channel of communications from within LexisNexis’s internal systems to the botnet controller on the public Internet." The companies compromised aggregated data for things like "credit decisions, business-to-business marketing and supply chain management. ... employment background, drug and health screening."

Too much of everything is just enough. -- Bob Wier

Working...