This botnet has infected nearly a million devices since 2014

By | TechSpot

One of the many ways that cybercriminals earn income is through affiliate advertising programs like Google’s AdSense. Rather than generate traffic through content creation, hackers figure out ways to trick advertising platforms into thinking a partner is sending them legitimate traffic. Not knowing they’re being scammed, the advertising platform pays the partner for the referral.

Such is the case with a clickbot known as Redirector.Paco which Bitdefender Labs detailed on Monday.

According to the security firm, Redirector.Paco has been active in the wild since September 2014. On an infected system, whenever you perform a query on a popular search engine like Bing, Google or Yahoo, the search results are replaced with affiliate links which, when clicked, generate revenue for the hacker.

Bitdefender Labs says the malware is able to redirect traffic by making a few simple registry tweaks on the infected system which tells the browser to send the traffic to a different address. The malware attempts to make the search results look authentic although there are signs – like messages in the status bar referencing a proxy – that indicate something is amiss.

Lengthy load times are also an indicator of infection, Bitdefender Labs said.

The malware has infected more than 900,000 IPs worldwide, most of which are located in Algeria, Brazil, Greece, India, Italy, Malaysia, Pakistan and the US. The payload is typically injected into modified installers for trusted programs including Connectify, WinRAR, KMSPico, Start8, Stardock and YouTube Downloader.

Microsoft, global law enforcement agencies disrupt Dorkbot botnet

By | Techspot

Microsoft, in cooperation with a number of law enforcement agencies around the world, managed to disrupt a botnet that’s infected over a million PCs across more than 190 countries.

First discovered in April 2011, Dorkbot is an IRC-based botnet that has been commercialized by its creator and is readily available for purchase on underground online forums as NgrBot. The malware relies on USB drives, social networks, IM clients, spam and drive-by downloads for distribution.

It’s most often used to steal login credentials for many of today’s top sites and services including AOL, eBay, Facebook, Gmail, Godaddy, Netflix, PayPal, Steam, Twitter, Yahoo and YouTube.

Over the past six months, Microsoft said it detected Dorkbot on roughly 100,000 systems each month with the majority of infections spotted internationally.

Microsoft said it worked with CERT Polska, ESET, the Canadian Radio-television and Telecommunications Commission, the Department of Homeland Security’s United States Computer Emergency Readiness Team, Europol, the Federal Bureau of Investigation, Interpol and the Royal Canadian Mounted Police to disrupt the botnet.

Details on exactly what actions were taken to disrupt Dorkbot weren’t mentioned.

The US Computer Emergency Readiness Team (CERT) advises those that have been infected to use and maintain anti-virus software, change passwords, keep operating system and application software up-to-date, use anti-malware tools and disable Windows Autorun.

ZeusVM malware building tool leak may cause botnet surge

The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free.

The source code for the builder and control panel of ZeusVM version was leaked sometime in June, according to a malware research outfit called Malware Must Die (MMD). The leak was kept under wraps by the researchers as they tried to stop the files from becoming widely available, an effort that ultimately exceeded their resources.

As a result, the group decided to go public with the information Sunday in order to alert the whole security community so that mitigation strategies can be developed.

ZeusVM, also known as KINS, is a computer Trojan that hijacks the browser process in order to modify or steal information from websites opened by victims on their computers. It’s primarily used to steal online banking credentials, but other types of websites can also be targeted as long as attackers list them in the configuration file downloaded by the Trojan from the Internet.

As its name suggests, ZeusVM is based on the infamous Zeus Trojan, whose own source code was leaked in 2011 after years of being the primary malware tool used for online banking fraud.

It seems that the new ZeusVM leak does not contain the source code for the actual Trojan that could allow other malware writers to create more powerful variants. However, the builder and control panel is all that attackers need to start their own ZeusVM version 2 botnet, for free.

The builder is a program that allows attackers to create customized ZeusVM binary files, which can then be used to infect computers. The customization involves modifying things like the URL of the command-and-control server where the Trojan will connect or the key used to encrypt its configuration files.

The control panel is the Web application that runs on the command-and-control server and is used to receive and send data to ZeusVM-infected computers. It’s needed to manage the botnet.

It’s not clear who or why leaked the two ZeusVM tools, but the MMD researchers recently spotted sale offers for a new version of KINS—version 3.0—on underground forums for US$5,000.

So in addition to a surge of new ZeusVM v2 botnets, the security community should also expect attacks with a new version of the Trojan soon, the MMD researchers said in their report.

via ZeusVM malware building tool leak may cause botnet surge | PCWorld.

Botnet malware discovered on server


Thanks to a poor initial launch followed a few months later by the Heartbleed scare, has had its share of security problems. Now, we can add one more security snafu to the list. In early July, a hacker was able to infiltrate a server connected to, deposit malware on it, and remain undetected for about a month and a half.

The good news is no personal information was compromised and it appears the malware was never actually used, according to CNN. The compromised server was a test machine that site developers use to try out code before pushing it live on the servers hosting the actual site. The server did not contain any personally sensitive information such as names or Social Security numbers.

The problem was the test server was never supposed to be connected to the Internet and its security was not as robust as other servers on the network.

But’s inattentiveness was the anonymous hacker’s gain.

Searching government networks for vulnerable servers, the hacker was able to break-in because the server’s default password had not been changed, according to The Wall Street Journal. Even the U.S. government, it seems, can do with a refresher course every now and then on security .

From the sounds of it, this latest intrusion was little more than a close call. The malware itself was designed to add the test server to a botnet, which could then be used to attack other websites with distributed denial-of-service attacks (DDoS). Botnets are also routinely used to distribute spam email.

The hack on certainly could’ve been worse—if, for example, hackers were able to use the test server to get into other servers that did contain sensitive information.

Luckily that didn’t happen. What’s most concerning, however, is that it took site operators until August 25 to discover the intrusion. CNN reports that since the malware was not actually operational it was more difficult to discover. Nevertheless, clearly needs to audit its systems to make sure something like this doesn’t happen again, especially with the next open enrollment period slated to begin in a few months time on November 15.

via Botnet malware discovered on server | PCWorld.

Facebook helped shut down ‘Lecpetex’ botnet responsible for turning PCs into Litecoin miners

Law enforcement officials in Greece recently arrested two people last week that they believe were responsible for operating a botnet called Lecpetex. The hackers reportedly infiltrated up to 50,000 Facebook accounts and some 250,000 computer which were used to mine Litecoins, a popular alternative virtual currency similar to Bitcoins.

As outlined in a blog post, Facebook’s Treat Infrastructure team has been working with several industry partners over the last seven months to eradicate the botnet. It took that long to bring down Lecpetex primarily because it featured multiple technical features that made it more resilient to analysis and disruption efforts.

For example, its authors made continuous changes to the malware to avoid detection by anti-virus software.

The method of infection wasn’t all that clever, however. They simply sent spam messages to thousands (maybe millions) of users and those who didn’t know any better opened the attachments, ultimately infecting their computer.

Those behind Lecpetex eventually caught on to Facebook’s efforts to shut it down, even leaving notes on command-and-control servers proclaiming their innocence. On April 30, the social network reached out to Greek police who quickly launched an investigation. By July 3, two suspects had been taken into custody.

Facebook’s post goes into a lot more detail than we have time to cover here. If you’re interested in the finer details of the botnet, feel free to pop over and check out the full post.

via Facebook helped shut down ‘Lecpetex’ botnet responsible for turning PCs into Litecoin miners – TechSpot.

One-click test finds Gameover Zeus infections on PCs

Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.

The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware’s aggressive URL matching algorithm.

Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware’s configuration file.

For example, to steal log-in credentials for or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?://.*?amazon..*?/.*?. However, this regular expression matches not just Amazon sites, but any URL that has “amazon” in it, including

“We can use this to ‘trick’ Gameover bots and make an easy check to see if an infection is present in your browser!” said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.

Tricking an infected PC to “bite”

Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.

“We search for the string ‘LoadInjectScript’,” Tikkanen said. “If the string is found on the page, we know Gameover Zeus has infected your browser!”

The test is not perfect though, because the malware doesn’t support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.

F-Secure also provides a free online scanner that is capable of detecting and removing the threat.

Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.

According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.

The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it’s possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.

via One-click test finds Gameover Zeus infections on PCs | PCWorld.

Credit card fraud comes of age with advances in point-of-sale botnets

Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers’ credit and debit card payments.

The botnet remained active at the time of writing and had compromised more than 20,000 payment cards since August, researchers from IntelCrawler, a Los Angeles-based security intelligence provider, told Ars. The researchers arrived at the findings after infiltrating one of the control servers used to send commands to infected machines and receive pilfered data from them. A recently captured screenshot (above) showed that it was controlling 31 machines that the researchers said belonged to US-based restaurants and retailers. Some of the infected machines are servers, so the number of affected PoS devices could be much higher. The researchers have reported their findings to law enforcement agencies that they declined to identify by name.

PoS-based hacking is nothing new. The best-known incident stole data for more than 146,000 cards after infecting 200 terminals used at Subway Sandwich shops and other small merchants. According to federal prosecutors, the criminals behind that intrusion infected one or more servers with “sniffing” software that logged payment card numbers and sent them to a remote server. Although the now-convicted crooks were able to install a backdoor on the computers they accessed so they could change configuration settings and install new programs, there is no evidence of a botnet that actively controlled the infected machines in lockstep.

The infections observed by IntelCrawler, by contrast, are much more advanced. They allow attackers to corral large numbers of PoS devices into a single botnet. The interface makes it easy to monitor the activities of infected machines in real time and to issue granular commands. In short, they are to PoS terminals what ZeuS, Citadel, and other banking trojans are to online bank accounts. The code helping to streamline the process has been dubbed StarDust. It’s a major revision of Dexter, a previously discovered piece of malware targeting PoS devices that has already been fingered in other real-world payment card swindles.

“The unique side of our case is that it is a real botnet with C&C functions, which is active close to half a year and controlled by a group of criminals which has a new type of Dexter,” IntelCrawler CEO Andrey Komarov wrote in an e-mail. “The infected PoS merchants are installed in different places and cities… which makes it different as the bad actors infected them separately and then organized a botnet from it.”

Not your father’s PoS malware

StarDust developers have intimate knowledge of the inner workings of PoS applications such as Clearview PoS. As a result, the malware can ferret out where in computer memory sensitive data in cleartext form is stored. StarDust can also sniff network traffic and is able to extract Track1 and Track2 card data. To remain covert, the software transfers card details only when the terminal is inactive and the screensaver is on. It also uses the RC4 cipher to encrypt data before sending it to the control server.

The discovery comes as researchers from a separate security firm called Arbor Networks published a blog post on Tuesday reporting an active PoS compromise campaign. The advisory is based on two servers found to be hosting Dexter and other PoS malware. Arbor researchers said the campaign looks to be most active in the Eastern Hemisphere. There was no mention of a botnet or of US restaurants or retailers being infected, so the report may be observing a campaign independent from the one found by IntelCrawler.

It remains unclear how the attackers manage to initially infect PoS terminals and servers that make up the botnet. In the past, criminals have targeted known vulnerabilities in applications that many sellers of PoS software use to remotely administer customer systems. Weak administrator passwords, a failure to install security updates in a timely fashion, or unknown vulnerabilities in the PoS applications themselves are also possibilities.

Full Story: Credit card fraud comes of age with advances in point-of-sale botnets | Ars Technica.

Botnet snatches 2 million logins for Facebook, ADP, and other sites

Two million logins and passwords from services such as Facebook, Google and Twitter have been found on a Netherlands-based server, part of a large botnet using controller software nicknamed “Pony.”

Another company whose users’ login credentials showed up on the server was ADP, which specializes in payroll and human resources software, wrote Daniel Chechik, a security researcher with Trustwave’s SpiderLabs.

It’s expected that cybercriminals will go after main online services, but “payroll services accounts could actually have direct financial repercussions,” he wrote.

ADP moved $1.4 trillion in fiscal 2013 within the U.S., paying one in six workers in the country, according to its website.

Facebook had the most stolen credentials, at 318,121, followed by Yahoo at 59,549 and Google at 54,437. Other companies whose login credentials showed up on the command-and-control server included LinkedIn and two Russian social networking services, VKontakte and Odnoklassniki. The botnet also stole thousands of FTP, remote desktop and secure shell account details.

It wasn’t clear what kind of malware infected victims’ computers and sent the information to the command-and-control server.

Trustwave found the credentials after gaining access to an administrator control panel for the botnet. The source code for the control panel software, called “Pony,” was leaked at some point, Chechik wrote.

The server storing the credentials received the information from a single IP address in the Netherlands, which suggests the attackers are using a gateway or reverse proxy in between infected computers and the command-and-control server, he wrote.

”This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down—outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down,” Chechik wrote.

Information on the server indicated the captured login credentials may have come from as many as 102 countries, “indicating that the attack is fairly global,” he wrote.

via Botnet snatches 2 million logins for Facebook, ADP, and other sites | PCWorld.

Botnet busts more for stunts than security, expert says

Microsoft and Symantec made headlines in September and in the summer by taking down major botnets. Now, one expert calls their actions ineffective, and wonders if the only reason they happened was to garner good press.

Working backwards, Symantec announced in September that they used a vulnerability within the ZeroAccess botnet’s code to take down a significant part of it. Their actions gained headlines, because ZeroAccess has existed since 2010, and had a foothold on millions of systems globally.

In a similar situation, Microsoft took out 88 percent of the Citadel botnet this summer, going to far as to send configuration files to the infected systems that forced them to connect to sinkholes, removing them from criminal control. At the time, Microsoft said that 40 percent of the computers that were part of the operation were cleaned of infection.

However, there were those that said Microsoft’s actions were nothing more than a clever PR stunt, and that they had no real impact on the threat landscape.

In a recent blog post, Damballa’s CTO, Brian Foster, says that botnet takedowns often don\’t meet their stated goals of reducing the risk of infection online. In fact, he says, it’s something else entirely.

“It makes me wonder if these efforts are for the sole purpose of garnering press, because they certainly don’t have any lasting impact on end user safety,” Foster wrote.

Shortcomings noted

Supporting his theories, Foster listed three reasons that botnet takedowns are ineffective. To start, he noted, most takedowns are done haphazardly. In most cases, only a small percentage of the command and control servers for a given botnet ware grabbed by the do-gooders. Thus, while it makes good coverage to show that 24 percent of a botnet has been taken offline, “[it] still leaves 76 percent of it active. The attacker still has a strong foothold and can easily recover.”

Further, takedowns do not account for secondary communication methods such as P2P channels, or domain generation algorithms (DGA) that may be used by malware.

“We looked at 43 pieces of malware and discovered that three of them had secondary callback methods. This means that for at least three of the botnets, security researchers need to take additional steps to make sure the botnet is disabled,\” Foster said.

Finally, he noted, the takedowns themselves do not result in the arrest of the person(s) behind the botnet itself. Unless the attacker has been arrested, it doesn\’t prevent them from starting anew and building a different botnet.

“Bottom line: If security researchers and their organizations are doing takedowns for marketing reasons, then it doesnt matter how they go about it. But if they are doing takedowns to truly limit Internet abuse and protect end users, then there needs to be a more thoughtful approach than what has typically been used by the industry. Otherwise, the bots will once again veer their ugly heads,” Foster concluded.

via Botnet busts more for stunts than security, expert says | PCWorld.

Microsoft: Almost 90 percent of Citadel botnets in the world disrupted in June

Microsoft estimates that 88 percent of botnets running the Citadel financial malware were disrupted as a result of a takedown operation launched by the company in collaboration with the FBI and partners in technology and financial services. The operation was originally announced on June 5.
Since then, almost 40 percent of Citadel-infected computers that were part of the targeted botnets have been cleaned, Richard Domingues Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit, said Thursday in a blog post.
Microsoft did not immediately respond to an inquiry seeking information about how those computers were cleaned and the number of computers that remain infected with the malware.
However, Boscovich said in a different blog post on June 21 that Microsoft observed almost 1.3 million unique IP (Internet Protocol) addresses connecting to a “sinkhole” system put in place by the company to replace the Citadel command-and-control servers used by attackers.
After analyzing unique IP addresses and user-agent information sent by botnet clients when connecting to the sinkhole servers, the company estimated that more than 1.9 million computers were part of the targeted botnets, Boscovich said at the time, noting that multiple computers can connect through a single IP address.
He also said that Microsoft was working with other researchers and anti-malware organizations like the Shadowserver Foundation in order to support victim notification and remediation.
The Shadowserver Foundation is an organization that works with ISPs, as well as hosting and Domain Name System (DNS) providers to identify and mitigate botnet threats.
According to statistics released Thursday by Boscovich, the countries with the highest number of IP addresses corresponding to Citadel infections between June 2 and July 21 were: Germany with 15 percent of the total, Thailand with 13 percent, Italy with 10 percent, India with 9 percent and Australia and Poland with 6 percent each. Five percent of Citadel-infected IP addresses were located in the U.S.
Boscovich praised the collaboration between public and private sector organizations to disrupt the Citadel botnet.
“By combining our collective expertise and taking coordinated steps to dismantle the botnets, we have been able to significantly diminish Citadel’s operation, rescue victims from the threat, and make it more costly for the cybercriminals to continue doing business,” he said Thursday in the blog post.
However, not everyone in the security research community was happy with how the takedown effort was implemented.
Shortly after the takedown, a security researcher who runs the botnet tracking services estimated that around 1,000 of approximately 4,000 Citadel-related domain names seized by Microsoft during the operation were already under the control of security researchers who were using them to monitor and gather information about the botnets.
Furthermore, he criticized Microsoft for sending configuration files to Citadel-infected computers that were connecting to its sinkhole servers, saying that this action implicitly modifies settings on those computers without their owners’ consent. “In most countries, this is violating local law,” he said in a blog post on June 7.
“Citadel blocked its victims’ ability to access many legitimate anti-virus and anti-malware sites in order to prevent them from being able to remove the malware from their computer,” Boscovich said on June 11 in an emailed statement. “In order for victims to clean their computers, the court order from the U.S. District Court for the Western District of North Carolina allowed Microsoft to unblock these sites when computers from around the world checked into the command and control structure for Citadel which is hosted in the U.S.”
via Microsoft: Almost 90 percent of Citadel botnets in the world disrupted in June | PCWorld.