The Italian Honeynet Project

The backdoor offers very simple functionality, mainly to load other components. It has some common tricks to hide itself in the infected machine, in order to make it more difficult for a user to notice its presence.

The main commands that can be sent to the backdoor are: download and run an executable, download and install a plugin, update the bot itself, reboot the machine, and uninstall the bot. The main purpose of this backdoor is therefore to offer a gateway to the attacker so that he can download and install his own malware.

This backdoor is not very widespread yet, but it has the potential to evolve into a more dangerous threat in the future; as always, we recommend the users to update their software and security products, and to use common sense in order to avoid malware.

via Dream Loader: the new bot C&C engine of your dreams | Symantec Connect.

I would like to inform you about our recent progresses.

We are working hard for releasing the  new version  of our framework for botnet tracking(Dorothive).

Below you can find some new features:

+ Postgres database

+ the analysis coore is being developed in pure ruby language (OO oriented, easy addition of new detection rules ex. zeus,spyeyes,etc)

+ New visualization techniques : Realtime Charts (hightcharts, or opencharts), and AJAX google APIs for maps. That’s the way.

+ Drone completely coded from the scratch in Java: multi-platform, PKI based, TOR/proxy connection, IRC/HTTP compatibility.We are close to launch our first beta.  Let me know who is interested in participating as beta-tester.

+ The analysis engine will be able to detect financial botnet as presented at the APWG conference , here at Barcelona Digital we are going to begin the test phase to acquire some interesting results.

+ and lot more..

More status updates will be released more often, I promise.

stay tuned!

On next Tuesday (October 19) I’m going to present a research in progress paper that I wrote with the e-Crime team of Barcelona Digital and Marco Cremonini from Department of Information Technology of the Università degli Studi di Milano.

The title of our paper is “A Framework For Financial Botnet Analysis“  and will be presented at the Anti Phishing Working Group (APWG) conference that this year will be held in Dallas.  Our work  represents a research study that is still in progress that is  based on developing new detection and mitigation strategies to cope with financial botnets.

The proposed research partially relies on a customized version of the Dorothy Framework by improving its overall development status. The Italian Chapter of the Honeynet Project is proud to see that its work is going to be useful also for such purpose, and this publication will encourage its future research.

Some blogs, stories, and white papers that covered SpyEye have been released but none of them really talked about the interface and how criminals may be using it.

The actual interface is broken down into two components. The first component is the front-end interface called “CN 1” or “Main Access Panel.” This interface is where the bot master can interact with the bots. It shows statistics in relation to infected machines.

The second interface is more like the back end and is called “SYN 1” or “Formgrabber Access Panel.” This interface actually collects and logs data. Moreover, it also allows the bot master to make queries against the collected data and to view the stolen data through the interface. In this post, the first one in a two-post series, we will first look at CN 1 and how it may be used.

[..]

via The SpyEye Interface, Part 1: CN 1 | Malware Blog | Trend Micro.

The Internet Engineering Task Force IETF approved a customized version of the XML-based Instant Object Description Exchange Format IODEF. Extensions have been added to it that are appropriate for creating standard e-crime reports.

The format allows for unambiguous time stamps, support for different languages and a feature to attach samples of malicious code. It solves the problem facing the security industry of inconsistent reports, which make it harder to spot trends and react faster. [..]

via IETF approves e-crime reporting format – Computerworld.

In the latest of a series of arrests to be made in relation to online bank fraud, the Met’s e-crime unit has struck again, taking 19 alleged cyber-criminals into custody.

The gang is suspected of having stolen some £6 million over the last three months, according to the BBC News (just enough money for them to be able to construct their own bionic man).

via Police nab 19 over Zeus botnet bank fraud.

In this post, we are going to talk about a better alternative planned by a ZeuS gang: infect the mobile device and sniff all the SMS messages that are being delivered. The scenario is now easier:

1. The attacker steals both the online username and password using a malware (ZeuS 2.x)

2. The attacker infects the user’s mobile device by forcing him to install a malicious application (he sends a SMS with a link to the malicious mobile application)

3. The attacker logs in with the stolen credentials using the user’s computer as a socks/proxy and performs a specific operation that needs SMS authentication

4. An SMS is sent to the user’s mobile device with the authentication code. The malicious software running in the device forwards the SMS to other terminal controlled by the attacker

5. The attacker fills in the authentication code and completes the operation.

via S21sec Security Blog: ZeuS Mitmo: Man-in-the-mobile (I).

The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.

via Zeus botnets’ Achilles’ Heel makes infiltration easy • The Register.

The full blog post here.

[..]

Over the years Zeus has been released in a lot of different versions, adding or changing functionality, and is highly flexible in it’s configuration so this is just a snapshot of one version (1.2.7.19), giving an overview of it’s functionality.

In the early part of this blog I will disclose the process involved in building and distributing Zeus botnet in the wild. In the later part, I will discuss how Zeus captures personal information by injecting code dynamically, and finally some thoughts on Command and Control.

[..]

via Computer Security Research – McAfee Labs Blog.

Basically, the scam works like this: The botmaster acquires some freeware utility or legitimate program, renames it, claims it as his own and places it up for sale at one of several pre-selected software sales and distribution platforms, including ClickBank, FastSpring, eSellerate, SetSystems, or Shareit. The botmaster then logs in to his SpyEye control panel picture above, feeds it a list of credit card numbers and corresponding cardholder data, after which SpyEye opens an Internet Explorer Window and — at user-defined intervals — starts auto-filling the proper fields at the botmaster’s online store and making purchases.

via SpyEye Botnet’s Bogus Billing Feature — Krebs on Security.