Botnets of ever-expanding size could be used to perform large-scale distributed denial of service attacks against selected computers, experts say, disrupting some of the internet's most basic functionality.
Andy Ellis, the CSO of Akamai Technologies, told CIO magazine that it's possible that even the creators of the botnets are not fully aware of how widely their creations have spread, though PC World reports that a quarter of botnet-infected PCs are in enterprise networks.
Ellis also said that the DDoS attacks of today are far more sophisticated than the worm-created ones of the past. Instead of techniques like Mydoom or Blaster, which dramatically slow the machines that they infect, CIO reports, the botnets target servers with a flood of seemingly licit connection requests. The resultant slowdown affects only the targeted machine, which can easily use up all of its allotted bandwidth and cease to be accessible.
Experts say that botnets typically spread via phishing and some types of worm programs, which can automatically spread themselves across a network without any action by a human user beyond the initial infection.
Tag Archives: botnet
Score one for the good guys: White hats take down Mega-D botnet
Filed under Security News
Tagged as Atif Mushtaq, botnet, criminals, hat, hats, Israel, McColo, Mega-D, Mushtaq, Rustock, Turkey, white
Tagged as Atif Mushtaq, botnet, criminals, hat, hats, Israel, McColo, Mega-D, Mushtaq, Rustock, Turkey, white
Although malicious software and programming rose dramatically in 2009, computer security experts recorded a rare win with the demolition of the Mega-D botnet, thought to be responsible for an untold volume of email spam.
Security researcher Atif Mushtaq had tracked Mega-D for several months, according to PC World, before suddenly shifting his efforts from reconnaissance to attack last month. PC World reports that Mushtaq targeted the botnet's command and control servers, which issued instructions to infected computers and allowed the cyber criminals behind Mega-D to launch their spam campaigns.
Isolating and deactivating the domains that hosted Mega-D's command infrastructure was easy in the U.S., according to PC World, but more difficult overseas. The malware was being hosted on servers in Turkey and Israel, in addition to domestically.
Info Security reports that the defeat of Mega-D caused a noticeable drop in global spam output, but warned that cyber criminals would rapidly reactivate their operations in a different form. The Rustock botnet, formerly hosted on the servers of rogue ISP McColo, remains at large, according to Info Security.
Security researcher Atif Mushtaq had tracked Mega-D for several months, according to PC World, before suddenly shifting his efforts from reconnaissance to attack last month. PC World reports that Mushtaq targeted the botnet's command and control servers, which issued instructions to infected computers and allowed the cyber criminals behind Mega-D to launch their spam campaigns.
Isolating and deactivating the domains that hosted Mega-D's command infrastructure was easy in the U.S., according to PC World, but more difficult overseas. The malware was being hosted on servers in Turkey and Israel, in addition to domestically.
Info Security reports that the defeat of Mega-D caused a noticeable drop in global spam output, but warned that cyber criminals would rapidly reactivate their operations in a different form. The Rustock botnet, formerly hosted on the servers of rogue ISP McColo, remains at large, according to Info Security.
Amazon cloud services attacked by zombie computers
The popular EC2 cloud hosting service operated by Amazon suffered a botnet attack last week, and it was revealed that the service was unwittingly playing host to a command-and-control unit for the malicious software.
A botnet formed by the infamous Zeus Trojan was found to have infected some of EC2's client sites, and spread to others through the cloud service provider. This resulted in several service outages last week, as it unfortunately coincided with power failures at an Amazon facility in northern Virginia.
Amazon told CNET that "When we find misuse, we take action quickly and shut it down...which we did in this case. Our terms of usage are clear and we continually monitor and work to make sure the services aren't used for illegal activity. We also take the privacy of our customers very seriously, and don't inspect their instances."
EC2 offers the type of highly customizable - and more importantly, scalable - cloud hosting solutions that proponents of the cloud model say will revolutionize the IT world. However, the controversy over security and reliability will only be fanned by last week's events.
A botnet formed by the infamous Zeus Trojan was found to have infected some of EC2's client sites, and spread to others through the cloud service provider. This resulted in several service outages last week, as it unfortunately coincided with power failures at an Amazon facility in northern Virginia.
Amazon told CNET that "When we find misuse, we take action quickly and shut it down...which we did in this case. Our terms of usage are clear and we continually monitor and work to make sure the services aren't used for illegal activity. We also take the privacy of our customers very seriously, and don't inspect their instances."
EC2 offers the type of highly customizable - and more importantly, scalable - cloud hosting solutions that proponents of the cloud model say will revolutionize the IT world. However, the controversy over security and reliability will only be fanned by last week's events.
Botnets, like legitimate software, are moving to the cloud
The infamous Zeus Trojan has a cloud computing component, according to security researchers at CA. The identity theft-enabling malware apparently has a primary command-and-control system that works via Amazon's EC2 cloud computing service.
The "xmas2.exe" application - Zeus in one of its many disguises - was distributed by spam mail campaigns telling prospective victims that they have received a holiday ecard which can be retrieved by clicking on the Zeus-infected link. The malicious URL directs victims to a legitimate website that has been compromised to serve the malware.
Dancho Danchev at ZDNet writes that the cyber criminals are using the RDS managed database service offered by Amazon as a backup to their EC2-based primary command-and-control system. Danchev also says that Amazon has been insufficiently receptive to the concerns of the security community, and that the Zeus criminals may have selected their cloud provider wisely.
Two people were arrested last month in Great Britain over their involvement with the Zeus Trojan, but recent information shows that the malware is still going strong and posing a threat to private data.
The "xmas2.exe" application - Zeus in one of its many disguises - was distributed by spam mail campaigns telling prospective victims that they have received a holiday ecard which can be retrieved by clicking on the Zeus-infected link. The malicious URL directs victims to a legitimate website that has been compromised to serve the malware.
Dancho Danchev at ZDNet writes that the cyber criminals are using the RDS managed database service offered by Amazon as a backup to their EC2-based primary command-and-control system. Danchev also says that Amazon has been insufficiently receptive to the concerns of the security community, and that the Zeus criminals may have selected their cloud provider wisely.
Two people were arrested last month in Great Britain over their involvement with the Zeus Trojan, but recent information shows that the malware is still going strong and posing a threat to private data.
Researchers say that Gumblar botnet is entirely automated
Filed under Security News
Tagged as automated, botnet, Gumblar, injectors, Kaspersky, malware, password
Tagged as automated, botnet, Gumblar, injectors, Kaspersky, malware, password
The Gumblar botnet, an interconnected group of PCs infected by specific types of malware, appears to work more or less by itself, according to security experts at Kaspersky Labs.
Gumblar's password-stealing and malware-spreading activities are not directly controlled by a human being, but rather by a small number of specialized command-and-control servers known as dispatchers. Kaspersky's researchers estimate that there are fewer than 10 Gumblar dispatchers currently active, compared to roughly 50 injectors - which host the malicious code - over 700 infectors, and more than 40,000 redirectors, which are compromised sites that point users to the infection sites.
PC Magazine says that the dispatcher machines are probably PHP machines, and that they run Linux as an operating system. The actual human agency behind the Gumblar botnet only has to visit the dispatcher servers occasionally to update the malicious code so that it will continue to evade network security measures.
Botnets are a commercial enterprise these days, as the creators of the zombie computer groups frequently construct them and then sell or lease them to groups or individuals for use in DDoS attacks or spam campaigns.
Gumblar's password-stealing and malware-spreading activities are not directly controlled by a human being, but rather by a small number of specialized command-and-control servers known as dispatchers. Kaspersky's researchers estimate that there are fewer than 10 Gumblar dispatchers currently active, compared to roughly 50 injectors - which host the malicious code - over 700 infectors, and more than 40,000 redirectors, which are compromised sites that point users to the infection sites.
PC Magazine says that the dispatcher machines are probably PHP machines, and that they run Linux as an operating system. The actual human agency behind the Gumblar botnet only has to visit the dispatcher servers occasionally to update the malicious code so that it will continue to evade network security measures.
Botnets are a commercial enterprise these days, as the creators of the zombie computer groups frequently construct them and then sell or lease them to groups or individuals for use in DDoS attacks or spam campaigns.
Botnets proliferate, making DDoS attacks cheaper
Network security researchers tracking online criminal activity say the underground marketplace for networks of hacked computers - botnets - has become so crowded in recent years that renting a botnet to launch attacks is becoming cheaper.
Botnets, which can be used by bot-herders to send out waves of spam and malware and to launch distributed denial-of-service (DDoS) attacks to take down websites and servers, are traded and rented out to attackers as a kind of black market software-as-a-service.
But as more PCs become infected by proliferating worms and Trojan malware, the price to rent a botnet is becoming progressively cheaper, according to Jose Nazario, security researcher for Arbor Networks.
"The barriers to entry in that marketplace are so low you have people basically flooding the market," Nazario said, according to Computerworld. "The way you differentiate yourself is on price."
Security researchers at Finjan previously discovered a trading platform called Golden Cash that sells batches of 1,000 infected PCs - an infected PC is called a "zombie" or bot - for as liuttle as $25 to $500.
Researchers said not all of the botnet rentals are equally dangerous, so low-end attackers may not be getting much for their money.
Botnets, which can be used by bot-herders to send out waves of spam and malware and to launch distributed denial-of-service (DDoS) attacks to take down websites and servers, are traded and rented out to attackers as a kind of black market software-as-a-service.
But as more PCs become infected by proliferating worms and Trojan malware, the price to rent a botnet is becoming progressively cheaper, according to Jose Nazario, security researcher for Arbor Networks.
"The barriers to entry in that marketplace are so low you have people basically flooding the market," Nazario said, according to Computerworld. "The way you differentiate yourself is on price."
Security researchers at Finjan previously discovered a trading platform called Golden Cash that sells batches of 1,000 infected PCs - an infected PC is called a "zombie" or bot - for as liuttle as $25 to $500.
Researchers said not all of the botnet rentals are equally dangerous, so low-end attackers may not be getting much for their money.
Spam and cyberscams follow techniques of legitimate business
Filed under Security News
Tagged as botnet, Cisco, cyberscams, malware, report, SaaS, spam, techniques
Tagged as botnet, Cisco, cyberscams, malware, report, SaaS, spam, techniques
Cybercriminals such as the botnet operators who unleash spam and malware increasingly borrow techniques from legitimate businesses to make their attacks more effective, according to the mid-year web security report from Cisco.
Driven by the bottom line, cybercriminals have been forming partnerships with one another to help make their illegal activities more lucrative. Botnet owners are renting out their networks of compromised PCs, effectively using the software-as-a-service (SaaS) model to spread spam and malware.
"What is striking in our latest findings is how, in addition to using their technical skills to cast a wide net and avoid detection, these criminals are also demonstrating some strong business acumen," said
Patrick Peterson, Cisco fellow and chief security researcher.
Other tactics of spammers include what Cisco calls "spamdexing," or the use of Blackhat SEO for drawing web traffic to compromised websites. By loading up sites with keywords or search terms, cybercriminals get their hacked sites higher up in search engine rankings.
Traditional spam is now being rivaled by SMS spam on mobile devices. Cisco describes the rapidly growing mobile device audience as a "new frontier for fraud irresistible to criminals," with a field of some 4.1 billion mobile phone subscriptions worldwide.
Driven by the bottom line, cybercriminals have been forming partnerships with one another to help make their illegal activities more lucrative. Botnet owners are renting out their networks of compromised PCs, effectively using the software-as-a-service (SaaS) model to spread spam and malware.
"What is striking in our latest findings is how, in addition to using their technical skills to cast a wide net and avoid detection, these criminals are also demonstrating some strong business acumen," said
Patrick Peterson, Cisco fellow and chief security researcher.
Other tactics of spammers include what Cisco calls "spamdexing," or the use of Blackhat SEO for drawing web traffic to compromised websites. By loading up sites with keywords or search terms, cybercriminals get their hacked sites higher up in search engine rankings.
Traditional spam is now being rivaled by SMS spam on mobile devices. Cisco describes the rapidly growing mobile device audience as a "new frontier for fraud irresistible to criminals," with a field of some 4.1 billion mobile phone subscriptions worldwide.
Rustock botnet leads spam surge up 60 percent in 2009
Filed under Security News
Tagged as 60 percent, botnet, Bradley Anstis, Marshal8e6, McColo, Rustock, spam, surge
Tagged as 60 percent, botnet, Bradley Anstis, Marshal8e6, McColo, Rustock, spam, surge
Spammers have now completely recovered the capacity lost last November by the shutdown of the botnet-hosting ISP McColo and spam levels reached 90 percent of all email in the first half of 2009, according to the latest spam report from web security firm Marshal8e6.
From January to June 2009, spam email surged by 60 percent, with 40 percent of spam coming from the Rustock botnet of compromised PCs, the report said.
Bradley Anstis, director of technology strategy at Marshal8e6, said Rustock has specialized in image spam and spoofing HTML templates from legitimate newsletters and inserts to lend spam the appearance of professional, legitimate email. Image spam spiked to account for 10 percent of all spam, he said.
Other spam trends observed by the firm include the predominance of pharmaceutical spam, which now makes up 75 percent of junk email, and the use of spam messages on social networking sites including Twitter to spread malware.
Legitimate websites being compromised by hackers and serving up spam to unsuspecting visitors represents a growing threat, according to the report. Roughly 70 percent of sites hosting malicious content are legitimate sites that have been hacked.
"Web browsers are categorically one of the most dangerous applications on a user's computer," Anstis said.
From January to June 2009, spam email surged by 60 percent, with 40 percent of spam coming from the Rustock botnet of compromised PCs, the report said.
Bradley Anstis, director of technology strategy at Marshal8e6, said Rustock has specialized in image spam and spoofing HTML templates from legitimate newsletters and inserts to lend spam the appearance of professional, legitimate email. Image spam spiked to account for 10 percent of all spam, he said.
Other spam trends observed by the firm include the predominance of pharmaceutical spam, which now makes up 75 percent of junk email, and the use of spam messages on social networking sites including Twitter to spread malware.
Legitimate websites being compromised by hackers and serving up spam to unsuspecting visitors represents a growing threat, according to the report. Roughly 70 percent of sites hosting malicious content are legitimate sites that have been hacked.
"Web browsers are categorically one of the most dangerous applications on a user's computer," Anstis said.
Green Dam web filter still vulnerable to exploits
Filed under Security News
Tagged as botnet, China, exploits, Green Dam, malware, security flaws, vulnerable, web filter
Tagged as botnet, China, exploits, Green Dam, malware, security flaws, vulnerable, web filter
Green Dam Youth Escort, the web filtering software China is requiring PC-makers to preinstall on all new machines sold in the country starting July 1, is still vulnerable to exploits that web security experts warn could lead to the creation of a botnet for spreading malware.
China's government insists that the software is necessary for blocking access to pornographic content, but researchers using the software said it also blocks political content and tracks online activity.
Earlier this month, security researchers from the University of Michigan identified two security flaws that could have allowed remote parties to execute arbitrary code and take control of the computer, which the software maker has since patched.
But the researchers said last week they had discovered another security hole on the latest version which a maliciously-crafted website could exploit to take control of the computer. It took them only an hour to find the bug, they said.
The researchers wrote that making Green Dam safe from exploits will require substantial changes and careful retesting.
"It is unlikely that the required changes can be completed … before China's July 1 deadline for mandatory distribution of Green Dam with new PCs," they wrote.
Another security researcher has posted attack code to the Milw0rm website, which has been circulating in the wild for a week, according to CNET News.
China's government insists that the software is necessary for blocking access to pornographic content, but researchers using the software said it also blocks political content and tracks online activity.
Earlier this month, security researchers from the University of Michigan identified two security flaws that could have allowed remote parties to execute arbitrary code and take control of the computer, which the software maker has since patched.
But the researchers said last week they had discovered another security hole on the latest version which a maliciously-crafted website could exploit to take control of the computer. It took them only an hour to find the bug, they said.
The researchers wrote that making Green Dam safe from exploits will require substantial changes and careful retesting.
"It is unlikely that the required changes can be completed … before China's July 1 deadline for mandatory distribution of Green Dam with new PCs," they wrote.
Another security researcher has posted attack code to the Milw0rm website, which has been circulating in the wild for a week, according to CNET News.