Tag: botnet

RAMNIT sent to the works

12026489_8cfc0bee54A  three million strong botnet which filled the world with phishing emails has been shut down thanks to the efforts of the National Crime Agency’s National Cyber Crime Unit (NCCU), police in the  Netherlands, Italy and Germany.

The shut-down was co-ordinated through Europol’s European Cybercrime Centre (EC3), which also shut down command and control servers used by the RAMNIT botnet.

Investigators believe that RAMNIT may have infected over three million computers worldwide, with around 33,000 of those being in the UK. It has so far largely been used to attempt to take money from bank accounts. Analysis is now taking place on the servers and an investigation is ongoing.

RAMNIT was one of the most prevalent botnets in McAfee Threat reports for some time and Europol was alerted to RAMNIT by Microsoft, after data analysis showed a big increase in infections.

Steve Pye from the NCA’s National Cyber Crime Unit said: “Through this operation, we are disrupting a cyber crime threat which has left thousands of ordinary computer users in the UK at risk of having their privacy and personal information compromised.”

“This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites. As a result of this action, the UK is safer from RAMNIT, but it is important that individuals take action now to disinfect their machines, and protect their personal information,” Pye said.

 

Android Trojan could be bane of corporations

hitchhikers_guide_marvinOne of the longest running multipurpose mobile botnets has been updated to become stealthier and more resilient and it could be a major headache for businesses.

Dubbed NotCompatible, the botnet is mainly used for instant message spam and rogue ticket purchases, but it could be used to launch targeted attacks against corporate networks because the malware allows attackers to use the infected devices as proxies.

Researchers from security firm Lookout said that the mobile Trojan was discovered in 2012 and was the first Android malware to be distributed as a drive-by download from compromised websites.

Devices visiting such sites would automatically start downloading a malicious Android application package file. Users would then see notifications about the finished downloads and would click on them, prompting the malicious application to install if their devices had the “unknown sources” setting enabled.

A newly found version of the Trojan program, called NotCompatible.C, encrypts its communications with the C&C servers, making the traffic indistinguishable from legitimate SSL, SSH or VPN traffic.

Lookout security researchers wrote in their bog that the malware can also communicate with other infected devices directly, forming a peer-to-peer network that offers powerful redundancy in case the main C&C servers are shut down.

The Lookout researchers believe that the botnet is likely rented to other cybercriminals for different activities and the Trojan’s proxy capability makes it a potential threat to corporates.

If a device infected with NotCompatible.C is brought into an organisation, it could give the botnet’s operators access to that organisation’s network, the Lookout researchers said.

“Using the NotCompatible proxy, an attacker could potentially do anything from enumerating vulnerable hosts inside the network, to exploiting vulnerabilities and search for exposed data.”

“We believe that NotCompatible is already present on many corporate networks because we have observed, via Lookout’s user base, hundreds of corporate networks with devices that have encountered NotCompatible,” the Lookout researchers said.

Ah, the unternet of thangs ain’t what they used to be.

 

Attackers quick to Bash Linux

linuxAttackers have been quick to exploit the Shellshock Bash command interpreter bug and a botnet that is currently trying to infect other servers.

Italian security consultancy Tiger Security’s Emanuele Gentili said the “wopbot” botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence.

The botnet runs on Linux servers, named “wopbot” that uses the Bash Shellshock bug to auto-infect others, he said.

It has so far been used to launch a distributed denial of service attack against servers hosted by content delivery network Akamai, and is aiming for other targets, Gentili said.

The malware has conducted a massive scan on the United States Department of Defence internet protocol address range on port 23 TCP or Telnet “for brute force attack purposes,” he said.

Gentili said Tiger Security had contacted UK provider M247 and managed to get the wopbot botnet command and control system taken down from that network.

The botmaster server for wopbot, which is hosted by US network Datawagon, is still distributing malware.

He thinks that the wopbot botnet will grow like topsy as it can infect more than 200,000 zombies in an hour or so.

The ‘Shellshock’ remotely exploitable vulnerability in the Bash Linux command-line shell was discovered yesterday, with researchers warning of its potential to become larger than the severe Heartbleed OpenSSL flaw uncovered earlier this year.

Millions of Apache webservers around the world could be at risk if their common gateway interface (CGI) scripts invoke Bash. The malware can also recruit Apple gear into the botnet without too many problems.

 

Microsoft tries to snatch victory from defeat

Bill GatesSoftware giant Microsoft has attempted to claim victory in its quest to shut down the Bladabindi and Jenxcus botnets which infected more than 4.7 million PCs.

Vole went on its own to play cyber cop against the botnet and found itself in a PR nightmare after its actions resulted in shutting down hundreds of legitimate sites.

Microsoft has also identified at least another 4.7 million infected machines, though many are likely still controlled by the botnet.

The botnet has the most members in India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico.

Richard Domingues Boscovich, assistant general counsel of the unit, said Microsoft would quickly provide government authorities and Internet service providers around the world with the IP addresses of infected machines so they can help users remove the viruses.

“Those victims are currently not aware they are infected,” Boscovich said in an interview.

Boscovich claims that the operation is the most successful of the 10 launched to date by Microsoft’s Digital Crimes Unit, based on the number of infected machines identified.

What Vole did was intercept traffic headed to servers at Reno, Nevada-based Vitalwerks Internet Solutions. Apparently, the criminals were using free accounts on its No-IP.com services.

But it did not go that well, Vitalwerks slammed the way Microsoft handled the operation, saying some 1.8 million of its users lost service for several days.

Microsoft has apologized, blaming “a technical error” for the disruption, saying service to customers has been restored.