The Italian Honey Project

Hosting UA in Odessa one of the main data centers and hosts in Ukraine is offline, due to a major fire.

Figure 1 Hosting Ua – Fire – courtesy watcher.com.ua

AS41665 HOSTING-AS National Hosting Provider, UAwith 144,384 IP addresses and was # 4 on the HostExploit Bad Hosts Report in December 2009 out of 34,000 ASNs (autonomous servers / hosts) compared for serving badness on the Internet

via Russian Business Network (RBN): Hosting Ukraine Burnt Out | HostExploit.

PandaLabs published its report analyzing the IT security events and incidents of the first three months of the year.

The amount of new malware in circulation has continued to increase. In this first quarter, the most prevalent category was once again banker Trojans, accounting for 61% of all new malware.

The second placed category was traditional viruses (15.13%) despite having practically disappeared in recent years.

via 61% of new threats are banker Trojans.

Folks,

I will attend to the Italian Security Summit 2010 in Milan on March 18th, for the the challenge “Best Italian thesis about IS – 2009”.

I will present the The Dorothy Project as a work related to the honeynet chapter,showing all our last improvements.

Hope to see you there!

saludos

Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

[….]

Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet.

Update, Mar. 11, 5:48 p.m. ET: Zeustracker recently posted this update to its site: Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).

via Dozens of ZeuS Botnets Knocked Offline — Krebs on Security.

An updated graph from zeustracker :

The graph shows a sharp recover of   the Zeus activity during the last day. Online Zeus Configs had increased steeply for 149 to 223.

This information tell us  that the criminals are reacting to the Troyak-as take-off by updating their zombies to contact a new C&C. Therefore, the Zeus activity will probably rally again in the next day.

In addition, Koobface worm doubles C&C servers in 48 hours

Another Zeus Trojan report provided by SecureWorks.

Interesting report about the current status of the Zeus botnet, provided by TrendMicro.

zeusapersistentcriminalenterprise.pdf

RSA Conference 2010 — Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.

. “The rules have changed,” Stewart says. “There was once an unwritten rule that they didn’t attack their own banks.”

But like most cybercrime operations, money is money, and the BlackEnergy botnet gang appears to be expanding its operations for more profit.

While the Zeus Trojan remains the most popular Trojan, Stewart says BlackEnergy 2 can do things Zeus cannot, such as stealing online credentials plus DDoS-ing. BlackEnergy 2 also steals the user’s private encryption key. Stewart has written an analysis of the Trojan, available here.

via New BlackEnergy Trojan Targeting Russian, Ukrainian Banks – DarkReading.

SAN FRANCISCO (AP) — Authorities have smashed one of the world’s biggest networks of virus-infected computers, a data vacuum that stole credit cards and online banking credentials from as many as 12.7 million poisoned PCs.

The “botnet” of infected computers included PCs inside more than half of the Fortune 1,000 companies and more than 40 major banks, according to investigators.

Spanish investigators, working with private computer-security firms, have arrested the three alleged ringleaders of the so-called Mariposa botnet, which appeared in December 2008 and grew into one of the biggest weapons of cybercrime. More arrests are expected soon in other countries.

Spanish authorities have planned a news conference for Wednesday in Madrid.

[….]

Also, the suspects go against the stereotype of genius programmers often associated with cyber crime. The suspects weren't brilliant hackers but had underworld contacts who helped them build and operate the botnet, Cesar Lorenza, a captain with Spain's Guardia Civil, which is investigating the case, told The Associated Press.

Investigators were examining bank records and seized computers to determine how much money the criminals made.

[….]

via News from The Associated Press.

An Analysis report by DefenceIntelligence  here