WyldRyde IRC Network » Tech News

FBI and British Law Enforcement Seeking Botnet Builders

usrbingeek — Mon, 27 Apr 2009 14:05:39 +0000

British Law enforcement and the FBI are actively looking for the individuals that created the largest botnet, reports World Watch from CBS News.

London’s Metropolitan Police department confirmed to CBS News on Wednesday that their e-crime unit was investigating a botnet created by Ukrainian hackers. The Met would not say what other agencies they are working with, but they do often work with other agencies on cases involving international cyber-crime, including the FBI.
CBSNews.com partner CNET reported Tuesday that Ophir Shalitin, Finjan’s marketing director, said in an interview on the eve of the RSA security conference that the gang had compromised computers in 77 government-owned domains in the U.S. and elsewhere.

[Cops Hunting Monster-Botnet Builders]

Massive Botnet found on almost 2 million PCs

usrbingeek — Sun, 26 Apr 2009 10:32:30 +0000

A large botnet from the Ukraine that has infected nearly 2 million computers is stunning security researchers, reports DarkReading.

The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains — 51 of which are U.S. government ones, according to Ophir Shalitin, marketing director of Finjan, which recently found the botnet. Shalitin says the botnet is controlled by six individuals and is hosted in Ukraine.
Aside from its massive size and scope, what is also striking about the botnet is what its malware can do to an infected machine. The malware lets an attacker read the victim’s email, communicate via HTTP in the botnet, inject code into other processes, visit Websites without the user knowing, and register as a background service on the infected machine, for instance. The bots communicate with their command and control systems via HTTP.

[Researchers Find Massive Botnet On Nearly 2 Million Infected Consumer, Business, Government PCs]

Juvenile Botner sentenced to 11 months in prison

usrbingeek — Fri, 24 Apr 2009 19:59:02 +0000

A male juvenile, who has been widely known in the hacker underground by his online moniker, “DSHOCKER,” was sentenced today in federal court to 11 months in prison, to be served in a juvenile detention facility, for computer intrusion, interstate threats, and wire fraud, stemming from hacking, botnet, and “swatting” activities. In accordance with federal law, the juvenile was not publicly named.
United States Attorney Michael J. Sullivan and Warren T. Bamford, Special Agent in Charge of the Federal Bureau of Investigation – Boston Field Division, announced that a 17-year-old male juvenile from Massachusetts was sentenced before U.S. District Court Judge Dennis F. Saylor, IV, to 11 months in prison, to be served in a juvenile detention facility, followed by two years of supervised release.
At the November 18, 2008 change of plea hearing, the prosecutor told the Court that, had the case proceeded to trial, the government would have proven that, from 2005-2008, the defendant (1) hacked into multiple corporate computer systems and took command of thousands of other computers in a “botnet” (a network of infected computers), directing them to perform cyberattacks on victim computer servers; (2) placed hoax emergency telephone calls to elicit armed police responses from SWAT (“special weapons and tactics”) police teams and others, as well as reported phony bomb threats, and (3) made fraudulent credit card purchases with stolen credit cards. His “swatting” activities created a serious risk of physical harm to innocent victims, and the multiple bomb threats caused extensive disruptions to important public services. Furthermore, the defendant’s hacking activities were disruptive to major companies’ computer systems, and they wreaked havoc on tens of thousands of computers that were compromised.
The case was investigated by the Federal Bureau of Investigation and was prosecuted by Assistant U.S. Attorney Adam J. Bookbinder in Sullivan’s Economic Crimes Unit and Mona Sedky Spivack of the Computer Crime & Intellectual Property Section of the U.S. Department of Justice in Washington, D.C.

Conficker Worm Targeting Microsoft Windows Systems

usrbingeek — Mon, 30 Mar 2009 11:07:36 +0000

US-CERT is reporting that they’re aware of widespread infection of the Conficker Worm.
The worm infects computers running Microsoft Windows via a thumb drive, a network share, or directly across the network if the host is not patched with update MS08-067.

The presence of a Conficker infection may be detected if a user is unable to navigate to the following websites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp+link_conficker_worm

http://www.mcafee.com

If a user is unable to reach either of these websites, the Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in Knowledgebase Article 962007.
US-CERT encourages users to prevent a Conficker infection by ensuring all systems have the MS08-067 patch (part of Security Update KB958644, which was published by Microsoft in October 2008), disabling AutoRun functionality (see US-CERT Technical Cyber Security Alert TA09-020A), and maintaining up-to-date antivirus software.
US-CERT will provide additional information as it becomes available.

[Conficker Worm Targets Microsoft Windows Systems]

Botneter sentenced to 4 years in prison

usrbingeek — Wed, 11 Mar 2009 13:20:18 +0000

In the first US prosecution of its kind, John Schiefer, 27, of Los Angeles, also known as “acidstorm,” was sentenced last week to 48 months in federal prison for using “botnets” to steal the identities of victims throughout the country by extracting information from their personal computers and wiretapping their communications, according the US Department of Justice.

John Schiefer, 27, of Los Angeles, who used the online handle “acidstorm,” pleaded guilty last year to accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. Schiefer was sentenced by United States District Judge A. Howard Matz, who also ordered the defendant to pay a $2,500 fine.
When he pleaded guilty, Schiefer admitted that he illegally accessed hundreds of thousands of computers in the United States and that he remotely controlled these compromised machines through computer servers. Once in control of the “zombie” computers, Schiefer used his botnets to search for vulnerabilities in other computers, intercept electronic communications and engage in identity theft.
In connection with the wiretapping scheme, Schiefer admitted that he and others installed malicious computer code, known as “malware,” on zombie computers that captured electronic communications as they were sent from users’ computers. Because victims with compromised computers did not know that their computers had become infected and were “bots,” they continued to use their computers to engage in commercial activities, such as making online purchases. Schiefer’s “spybot” malware allowed him to intercept communications sent between victims’ computers and financial institutions, such as PayPal. Schiefer sifted through those intercepted communications and mined usernames and passwords to accounts. Using the stolen usernames and passwords, Schiefer made purchases and transferred funds without the consent of the victims. Schiefer also gave the stolen usernames and passwords, as well as the wiretapped communications, to others. Schiefer is the first person in the nation to plead guilty to wiretapping charges in connection with the use of botnets.
Schiefer also admitted stealing information from numerous computers by accessing the PStore, which is intended to be a secure storage area of computers running Microsoft operating systems. To accomplish this, Schiefer installed malware on computers that caused them to send account access information, including usernames and passwords for PayPal and other financial websites, to computers controlled by Schiefer and others. Schiefer used that information to make unauthorized purchases using funds transferred directly from victims’ bank accounts. Finally, Schiefer admitted defrauding a Dutch Internet advertising company with his armies of zombie computers. Schiefer signed up as a consultant with the advertising company and promised to install the company’s programs on computers only when the owners of those computers gave consent. Instead, Schiefer and two co-schemers installed that program on approximately 150,000 zombie computers whose owners did not give consent. Schiefer was ultimately paid more than $19,000 by the advertising company.
In addition to his guilty pleas to the criminal charges, Schiefer has agreed to pay approximately $20,000 in restitution to the Dutch advertising company and financial institutions that he defrauded.
This case was investigated by the Federal Bureau of Investigation.

Microsoft offering $250,000 reward for Conficker creator

usrbingeek — Mon, 16 Feb 2009 18:10:00 +0000

The windows worm commonly known as Conficker is creating havoc by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE).
When the vulnerability is successfully exploited, it may allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It can also disable several important system services and security products and downloads malicious files.
In order to help bring the person(s) responsible for Conficker to justice Microsoft has announced a $250,000 reward for information that leads to the arrest and conviction of whoever is responsible for creating the Conficker Internet worm.

We have announced a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm. Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, 1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com, where tips can be shared.

[Conficker Activity Update]

Virus Bulletin to test and certify anti-spam products

usrbingeek — Thu, 08 Jan 2009 18:00:53 +0000

Virus Bulletin has built a reputation for testing and certifying anti-malware products for more than ten years and they’re about to get into checking the performance claims made by anti-spam product vendors.

The tests will also provide useful information about the effectiveness of different spam-filtering methods: as different filters use different methods, the tests will implicitly compare these as well. This information will be valuable for the anti-spam industry as a whole.

Helen Martin, Editor of Virus Bulletin, said: “We feel strongly that there is a need for a robust and comprehensive anti-spam certification scheme and that our background stands us in good stead to run such a scheme. We are looking forward to publishing the first set of results.”

[Virus Bulletin announces new anti-spam certification scheme]

Windows worm creating massive botnet

usrbingeek — Mon, 15 Dec 2008 01:25:34 +0000

Last month Microsoft released a critical patch out of schedule to prevent massive exploitation however it seems as many systems are still unpatched.
A worm exploiting this critical bug is being used by the Conficker.a or Downad.a worm, reports ComputerWorld.

Ivan Macalintal, a senior research engineer with Trend Micro Inc., said that the worm, which his company has dubbed “Downad.a” — it’s called “Conficker.a” by Microsoft and “Downadup” by Symantec Corp. — is a key component in a new botnet that criminals are creating.
“We think 500,000 is a ball park figure,” said Macalintal when asked the size of the new botnet. “That’s not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it’s still starting to grow.”

It’s important that if you haven’t patched Windows yet, you do so immediately at the Microsoft update web site .
[New Windows worm builds massive botnet]

Unpatched IE7 Flaw Exploited

usrbingeek — Thu, 11 Dec 2008 15:49:23 +0000

A newly discovered zero-day vulnerability which is an unpatched exploit in Microsoft Internet Explorer is being targeted by malware authors and script kiddies, reports Trend Micro.

Several websites were found rigged with a malicious JavaScript detected by Trend Micro as JS_DLOAD.MD. This script exploits this zero-day vulnerability in Internet Explorer, through a Heap Spray on SDHTML. It also checks for the IE version installed on the affected system, since this exploit targets IE7.
After a successful exploit, it triggers a series of redirections to multiple URLs, then finally connects to one of several different domains — a full list of malicious domains can be found over at ShadowServer, as they have been verifying the domains collected by them and from other security researchers across the industry.

The toolkit related to this exploit is reportedly being sold in the China underground community. This is quite logical, since TSPY_ONLINEG variants are notorious info-stealers — particularly stealing credentials related to online games, which in turn are very popular in China.

Unpatched exploits like this are still common with Internet Explorer and it’s why we recommend users avoid using the web browser. While Firefox is far from perfect, Mozilla Corporation is much more responsive to security exploits and release security patches in a much more timely manner.
[Zero-Day IE7 Flaw Being Actively Exploited]

Social Network Spam Spreading Malware via Spoofed YouTube Links

usrbingeek — Tue, 09 Dec 2008 01:18:50 +0000

There has been an uptick in public reports of malware that is spreading through spam messages that appear to come from Social Networking web sites such as MySpace.com, Facebook.com and Classmates.com.
The emails reportedly describe a YouTube video and a link is provided. The link actually leads to a malicious spoof web site which, to an average user, appears to be an authentic YouTube web page. The visitors to this spoof page are prompted to download and install an update for plugins such as Adobe Flash but the update actually contains malicious code.
If you receive one of these emails, delete it and do not click on any links in the message. If you have reason to believe the email is legitimate and you wish to view the video go to YouTube directly by typing, “http://www.youtube.com/” in your web browser’s address bar and then search for the video on YouTube’s site instead of taking a chance and clicking on what could be a malicious link.