16.09
2010
During a recent investigation into a server hosting SpyEye, we noticed that there were several open directories that led to other control panels. SpyEye was also the same malware family that recently targeted Polish users. One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so we named it after the server, “Spencerlor.” The investigation led to the discovery of what seems to be three botnets running on one server, which appears to be operated by at least two remote users, as the logs revealed.
[..]
These screenshots clearly show the constant improvements that bot control panels undergo. As shown here, cybercriminals are finding newer means to automate money transfer.
via One Server, Multiple Botnets | Malware Blog | Trend Micro.
15.09
2010
Security researchers have discovered another botnet that uses Twitter as a command and control channel.Malware-infected drones in the Mehika Twitter botnet, active in Mexico this summer, take instructions from a Twitter account maintained by hackers instead of conventional command and control servers. The use of Twitter as a botnet command channel was first detected in August 2009 before similar techniques were applied to abuse Facebook profiles as command channels a few months later in November.
via Mexican Twitter-controlled botnet unpicked • The Register.
13.09
2010
[..]
According to their respective configuration files, the versions of these samples are 1.3.7.0 and 1.4.1.3. Let’s see the most relevant differences in comparison with the most common versions:
[..]
- Encrypted connection. Both the downloading of the configuration file and access to the control panel are made through SSL connection. This is new; both 1.x and 2.x perform an HTTP connection in plain text, sending the encrypted data along with their respective algorithms.
- Change of encryption. The encryption used is the RC4 seen to date, but with a slight change in its “step”. It doesn’t use the xor encryption layer used by versions 2.x
[..]
S21sec Security Blog: ZeuS: The missing link.
13.09
2010
[..] but I can assure you the site’s designers sure did a superb job making it look legitimate. Included on nearly every page are pictures of fellow “employees,” and exemplary trainees, which are really just photos lifted from dozens of random Web sites. Among my favorite areas of the site is the Agent Awards section, which includes a couple of photos swiped from Travel Weekly.
via A One-Stop Money Mule Fraud Shop — Krebs on Security.
09.09
2010
We were able to further investigate a command-and-control C&C server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.
via Uncovered Spyeye C&C Server Targets Polish Users | Malware Blog | Trend Micro.
09.09
2010
The FC5: Log Mysteries has started last week thanks of the collaboration of Raffael Marty, Anton Chuvakin f and Sebastien Tricaud.
Everybody is welcome to participate to this intriguing challenge !
Below are the instructions of the challange :
The Challenge:
Analyze the attached sanitized_log.zip and answer the following questions:
- Was the system compromised and when? How do you know that for sure? (5pts)
- If the was compromised, what was the method used? (5pts)
- Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)
- What happened after the brute force attack? (5pts)
- Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)
- What is the timeline of significant events? How certain are you of the timing? (5pts)
- Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)
- Was an automatic tool used to perform the attack? if yes which one? (5pts)
- What can you say about the attacker’s goals and methods? (5pts)
Bonus. What would you have done to avoid this attack? (5pts)
This is the website of the challenge where you can find any other detail.
Enjoy!
10.08
2010
Folks,
We would like to hope you all a nice summer holidays !
We will back at work on September releasing new updates about our current projects .
See you there!
06.08
2010
Security researchers warn that multiple recent Zbot variants are using a forged digital signature in an attempt to bypass antivurs detection. Ironically the digital signature was copied from a ZeuS removal tool developed by Kaspersky Lab.
[..]
There have been isolated cases of digitally-signed malware before, but the practice never really took off, primarily because malware authors believed the effort doesn’t justify the benefits.
[..]
via Zbot Authors Forge Kaspersky Digital Signature – Copy it from ZeuZ removal tool – Softpedia.
04.08
2010
Trusteer, the leading provider of secure browsing services, today announced that it has uncovered a large Zeus version 2 botnet being used to conduct financial fraud in the UK which is operated and controlled from Eastern Europe. The botnet appears to be controlling more than 100,000 infected computers, 98% of which are UK Internet users.
via Trusteer: Trusteer uncovers Zeus botnet that plunders over 100,000 UK Internet user credentials.
03.08
2010
According to a newly published report by AVG, upon obtaining access to a mini ZeuS botnet dubbed Mumba, part of Avalanche group’s online operations, they found 60GB of stolen data such as, accounting details for social networking sites, banking accounts, credit card numbers and intercepted emails.
via Researchers peek inside a mini ZeuS botnet, find 60GB of stolen data | ZDNet.
