Botnets have always been considered a severe threat that removes PCs and servers from IT control. However, botnet compromises have always come from the accidental and unknowing installation of bot malware. The purposeful and intentional acceptance of bot malware, however laudable the cause, presents a dangerous challenge to any organization concerned about maintaining control over network assets and demonstrating proper fiduciary responsibility.

In short, the introduction of social networking CnC and an increasingly diverse range of motivations and common-cause group memberships is opening the doors to new cyber-protesting possibilities – and to criminal misappropriation of hacktivist botnets. This whitepaper examines the evolutionary path of opt-in botnets, including how tactics have changed, why anyone would willingly choose to join a botnet, and what activist botnets mean to organizations that find themselves both victims and enablers of a botnet-driven attack.

From: Damballa.com.

Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

[....]

Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet.

Update, Mar. 11, 5:48 p.m. ET: Zeustracker recently posted this update to its site: Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

via Dozens of ZeuS Botnets Knocked Offline — Krebs on Security.

An updated graph from zeustracker :

The graph shows a sharp recover of   the Zeus activity during the last day. Online Zeus Configs had increased steeply for 149 to 223.

This information tell us  that the criminals are reacting to the Troyak-as take-off by updating their zombies to contact a new C&C. Therefore, the Zeus activity will probably rally again in the next day.

In addition, Koobface worm doubles C&C servers in 48 hours

SAN FRANCISCO (AP) — Authorities have smashed one of the world’s biggest networks of virus-infected computers, a data vacuum that stole credit cards and online banking credentials from as many as 12.7 million poisoned PCs.

The “botnet” of infected computers included PCs inside more than half of the Fortune 1,000 companies and more than 40 major banks, according to investigators.

Spanish investigators, working with private computer-security firms, have arrested the three alleged ringleaders of the so-called Mariposa botnet, which appeared in December 2008 and grew into one of the biggest weapons of cybercrime. More arrests are expected soon in other countries.

Spanish authorities have planned a news conference for Wednesday in Madrid.

[....]

Also, the suspects go against the stereotype of genius programmers often associated with cyber crime. The suspects weren't brilliant hackers but had underworld contacts who helped them build and operate the botnet, Cesar Lorenza, a captain with Spain's Guardia Civil, which is investigating the case, told The Associated Press.

Investigators were examining bank records and seized computers to determine how much money the criminals made.

[....]

via News from The Associated Press.

An Analysis report by DefenceIntelligence  here

The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy.

[..]

In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

[..]

This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world.

via The Official Microsoft Blog – Cracking Down on Botnets.

Well done.

Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely

[...]

“The bank said whoever logged in to make these transfers successfully answered those questions,” he said. “They had some very detailed information. [The thieves] knew our patterns, they knew our passwords, my mother’s middle name, favorite sports team. And this is all information I don’t even have written down anywhere.”

via Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security.

via Top 10 botnets and their impact.

Hope to see you there!