Zeus botnet dealt a blow as ISP Troyak knocked out: Via Computerworld Cybercrime/Hacking News.

Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines.

Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning.

The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks. "There's lots of Zeus and Fragus exploit kit [sites]," he said. Whoever was behind the takedown "just decided to knock out a large area of cybercirme, and this was probably one of the easiest ways to do it." [ Read more ... ]

The Botnet Challenge: by CDT Via Comcast Voices | The Official Comcast Blog.

Editor's Note: Our thanks to Leslie Harris, President and CEO, Center for Democracy & Technology, for writing this guest blog post about botnets.

Botnets are armies of computers that criminals have infected with malicious software so they can control them to remotely to steal information, launch denial-of-service attacks, spread malware and host illegal content. Botnets are one of the most serious threats to Internet security today. They have compromised untold millions of computers – and even DSL routers – worldwide. The Conficker worm alone has infected up to 15 million consumer, business and government computers into a massive botnet in a little over two years.

Botnet armies are built on the computers of regular Internet users who have no idea that their PCs have been compromised and are being used for malicious purposes. In fact, botnets depend on users’ ignorance in order to stay operational. At the same time, the spam, phishing, and denial-of-service attacks that botnets perpetrate may have little or no impact on the compromised users or their ISPs, while wreaking havoc on faraway users connected to entirely different networks. [ Read more ... ]

Security Pros Question Deployment of Smart Meters: Via Threat Level.

The country’s swift deployment of smart-grid technology has security professionals concerned that utilities and smart-meter vendors are repeating the mistakes made in the rollout of the public internet, when security became a priority only after malicious attacks had reached mass levels.

But when it comes to the power grid, the costs of remote hack attacks are potentially more dramatic.

“The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco this week. [ Read more ... ]

Spain Busts Hackers for Infecting 13 Million PCs: Via Threat Level.

BOSTON (Reuters) — Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security. [ Read more ... ]

Wiseguys Indicted in $20 Million Online Ticket Ring: Via Threat Level.

A ring of ticket brokers was indicted Monday in connection to an elaborate hacking scheme that used bots and other fraudulent means to purchase more than 1 million tickets for concerts, sporting events and other events.

The defendants made more than $28 million in profits from the re-sale of the tickets between 2002 and 2009.

According to the federal indictment (.pdf) in New Jersey, the defendants set up a nationwide network through which they were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and Tickets.com put in place to thwart automated ticket buying.

The defendants did business as Wiseguy Tickets and Seats of San Francisco, and used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks. [ Read more ... ]

Over 75,000 systems compromised in cyberattack: Via Computerworld Cybercrime/Hacking News.

Correction: An earlier version of this story incorrectly said the cyberattacks began in 1998. They began in 2008.

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.
The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.

A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

"Disturbingly, the data was only a one-month snapshot of data from a campaign that has been in operation for more than a year," NetWitness said in a statement announcing the discovery of the botnet late yesterday. [ Read more ... ]

New Russian botnet tries to kill rival: Via Computerworld Cybercrime/Hacking News.

An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.

Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. [ Read more ... ]

The Decade’s 10 Most Dastardly Cybercrimes: Via Threat Level.

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium. [ Read more ... ]

Report: Russian gang linked to big Citibank hack: Via Computerworld Cybercrime/Hacking News.

U.S. authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by hackers partly using Russian software tailored for the attack, according to a news report.

The security breach at the major U.S. bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, The Wall Street Journal said Tuesday, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography and spam. The Federal Bureau of Investigation is probing the case, the report said.

It was not known whether the money had been recovered and a Citibank representative said the company had not had any system breach or losses, according to the report. [ Read more ... ]

ISPs and the fight against bots: Via StopBadware Blog.

For the last several months, some of the folks at Comcast have been working on a draft IETF document to inform ISPs about the role they can play in remediating bots on their customers’ computers. This is a tricky challenge: on one hand, ISPs are in a great position to detect bot activity, notify their customers, and potentially even block traffic. On the other hand, customers and net neutrality advocates don’t want ISPs mucking around with customers’ Internet use.

The document attempts to find a balance, encouraging ISPs to notify customers of bots and assist with remediation, while warning about some of the risks of more aggressive involvement (such as "walled gardens," in which users are cut off from most Internet access until they clean up an infection).

I wrote up a set of comments which I shared with the authors and now make available here. [ Read more ... ]

Technology Review: Researchers Hijack a Drive-By Botnet: Via MIT's Technology Review.

The team gathered data on compromised pages and the would-be victims.

By infiltrating a criminal computer network aimed at infecting visitors to legitimate websites, university researchers have gained firsthand insight into the scale and scope of so-called "drive-by downloading." They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors' machines or redirect them to another site.

In an unpublished paper, researchers at the University of California at Santa Barbara describe a four-month study in which they connected their servers to a collection of compromised computers known as the Mebroot botnet. [ Read more ... ]

Announcing the Spamhaus CSS: Via Spamhaus Blog.

While filtering methods for botnet spam are now quite effective, a new breed of static-IP address spammers has evolved, and their spam evades many filters. It is time to target the next great spam problem, "snowshoe" spam.

The Problem of Snowshoe Spam

Like many of you, we at The Spamhaus Project have seen a burgeoning flood of spam emails, not from compromised IP addresses or botnet ranges, but from static IP address ranges. The IP addresses that send this spam properly identify their host names when connecting to a mailserver. At first glance, the emails that they send look like legitimate bulk emails, except that they were sent to spamtraps or to our own email addresses, which we know did not ask for that email. Most of them send modest volumes of email that do not trigger automated spam blocking filters or reputation metrics. It is this technique, spreading the load out over a larger area, that gives snowshoe spam its name. [ Read more ... ]

Cyberwar - Defying Experts, Rogue Computer Code Still Lurks: Via NYTimes.com .

Like a ghost ship, a rogue software program that glided onto the Internet last November has confounded the efforts of top security experts to eradicate the program and trace its origins and purpose, exposing serious weaknesses in the world’s digital infrastructure.

The program, known as Conficker, uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than five million of these zombies now under its control — government, business and home computers in more than 200 countries — this shadowy computer has power that dwarfs that of the world’s largest data centers. [ Read more ... ]

Conficker Botnet Messes With Reporters’ Heads By Not Doing Anything: Via Threat Level.

Conficker botnet? It’s still out there, lurking, waiting, dreaming like Cthulhu, as mysterious and deadly as it was last spring when the New York Times called it an “unthinkable disaster” in the making, and 60 Minutes warned the entire internet could be disrupted.

Now, five months after failing to satisfy all the doomsday predictions tied to an April 1 ticking-clock, Conficker has pulled off its sneakiest trick yet: doing nothing for five months. The Times has the story again; Conficker is “like a ghost ship” now.

Some might take Conficker’s quiescence as evidence that the first round of reporting was hyped to the gills. [ Read more ... ]

Hackers Use Twitter to Control Botnet: Via Threat Level.

Hackers are now using Twitter to send coded update messages to computers they’ve previously infected with rogue code, according to a report from net-monitoring firm Arbor Networks.

This looks to be the first reported case of hackers using the popular micro-messaging company to control botnets, which are assemblages of infected PCs that can be directed to spy on their users, send spam, or attack web sites with fake traffic.

Arbor Network’s Jose Nazario, an expert on botnets, discovered the so-called command-and-control structure. Infected computers were following the Twitter feed “Upd4t3″ (now suspended) through its RSS feed. [ Read more ... ]

Building in Surveillance: Via Schneier on Security.

China is the world's most successful Internet censor. While the Great Firewall of China isn't perfect, it effectively limits information flowing in and out of the country. But now the Chinese government is taking things one step further.

Under a requirement taking effect soon, every computer sold in China will have to contain the Green Dam Youth Escort software package. Ostensibly a pornography filter, it is government spyware that will watch every citizen on the Internet.

Green Dam has many uses. It can police a list of forbidden Web sites. It can monitor a user's reading habits. It can even enlist the computer in some massive botnet attack, as part of a hypothetical future cyberwar.

China's actions may be extreme, but they're not unique. Democratic governments around the world -- Sweden, Canada and the United Kingdom, for example -- are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. [ Read more ... ]

Cyber Attacks Traced to the UK and U.S.: Via Threat Level.

International fingerpointing in the recent cyberattacks against U.S. and South Korean web sites has widened to include the UK and U.S., as researchers examining the attacks trace them to a server in the United Kingdom.

But the UK company that owns the server says it, in turn, traced the attacks to a VPN connection originating in Miami, Florida.

With hawks in Congress and the press urging President Obama to launch an all-out cyber war in retaliation for the website outages, things are looking bad for the Sunshine State. Though it should be noted that the Miami connection was likely just another proxy used by the hacker, who could be based in the U.S. or anywhere else. [ Read more ... ]

Lazy Hacker and Little Worm Set Off Cyberwar Frenzy: Via Wired: Threat Level.

Talk of cyberwar is in the air after more than two dozen high-level websites in the United States and South Korea were hit by denial-of-service attacks this week. But cooler heads are pointing to a pilfered five-year-old worm as the source of the traffic, under control of an unsophisticated hacker who apparently did little to bolster his borrowed code against detection.

Nonetheless, the attacks have launched a thousand headlines (or thereabouts) and helped to throw kindling on some long-standing international political flames — with one sworn enemy blaming another for the aggression.

Welcome to the New World Order of cybersecurity. [ Read more ... ]

U.S. Objects to China's Mandatory Green Dam Censorware: Via Freedom to Tinker.

Yesterday, the U.S. Commerce Secretary and Trade Representative sent a letter to China's government, objecting to China's order, effective July 1, to require that all new PCs sold in China have preinstalled the Green Dam Youth Escort censorware program.

Here's today's New York Times:

Chinese officials have said that the filtering software, known as Green Dam-Youth Escort, is meant to block pornography and other “unhealthy information.”

In part, the American officials’ complaint framed this as a trade issue, objecting to the burden put on computer makers to install the software with little notice. But it also raised broader questions about whether the software would lead to more censorship of the Internet in China and restrict freedom of expression.

[ Read more ... ]

Is China Creating the World's Largest Botnet Army?: Via Slashdot.

david_a_eaves writes "The Chinese government is mandating that all computers sold in China come with Internet blocking software. Rob Cottingham writes an excellent piece noting how the censorship application of this software should be the least of our concerns. This new software may create an opportunity for the Chinese Government to appropriate these computers and use them to create the worlds largest botnet army."

Update: 06/11 21:26 GMT by T : J. Alex Halderman writes "My students and I have been examining the Green Dam censorware software. [ Read more ... ]

Feds Shutter ‘Black Hat’ ISP: Via Threat Level.

For the first time, the Federal Trade Commission is shuttering an internet service provider it alleges, “recruits, knowingly hosts, and actively participates in the distribution of illegal, malicious and harmful electronic content” such as botnets and child porn.

The company, doing business as 3fn.net and APS Telecom, “actively recruited” to its hosting service thousands of “rouge” and “black hat” web sites distributing “illegal, malicious, and harmful electronic content including child pornography, spyware, viruses, trojan horses, phishing, botnet command and control servers, and pornography featuring violence, bestiality, and incest. ”

A San Jose, California federal judge, responding to the FTC’s lawsuit, has ordered (.pdf) upstream internet providers and data centers to stop servicing the company, also known as Pricewert, which is based in Oregon. Itss operators  live in Belize.

The company had thousands of servers in the San Jose area. [ Read more ... ]

Ex-Fed: Privacy Advocates Should Go After China, Lay Off NSA: Via Threat Level.

WASHINGTON — Internet privacy advocates are doing the right thing by protesting warrantless government surveillance of the internet — they’re just going after the wrong government, a former lawyer for the National Security Agency said Tuesday.

Speaking on panel at the Computers Freedom and Privacy Conference here, one-time NSA general counsel Stuart Baker raised the specter of Chinese government spying, focusing in particular on the so-called GhostNet findings reported by security researchers at the University of Toronto in March.

Those researchers found the a commonly-available Trojan horse called “gh0st” had been deployed against foreign embassies, international news media outlets and non-governmental organizations, primarily in South and Southeast Asia. More than 1,200 computers were targeted, including some at the offices of the Dalai Lama. The researchers traced the network to island of Hainan in China. [ Read more ... ]

Botnets Took Control of 12 Million New IPs this Year: Via Threat Level.

Botnet criminals have taken control of almost 12 million new IP addresses since January, according to a quarterly report (.pdf) from anti-virus firm, McAfee. The United States has the largest number of botnet-controlled machines, with 18 percent of them based here.

The number of zombie machines represents a 50-percent rise over last year.

Researchers attribute the explosion to botnet controllers trying to recoup spamming abilities after authorities took down a hosting facility last year that catered to international firms and syndicates involved in spamming and botnet control. [ Read more ... ]

Finjan warns two million computers worldwide hit by giant botnet: Via SiliconRepublic.com .

A cyber gang based in the Ukraine has created one of the largest bot networks the world has ever seen, with at least 1.9 million computers around the world converted into zombie machines.

Security firm Finjan has revealed that the gang created a Trojan horse program that can turn computers into robots capable of spewing spam and toppling sensitive government networks.

It said that only four out of 39 major antivirus products are capable of spotting the malware. [ Read more ... ]

Cyber Criminals Industrialize to Increase Effectiveness: Via Threat Level.

SAN FRANCISCO -- Cybercriminals have become industrialized to increase their effectiveness. They are increasingly using encryption to cover their tracks and prevent forensic investigators from recovering evidence, according to Joe Stewart, security researcher for SecureWorks.

Stewart, speaking at the RSA Security Conference in San Francisco Wednesday, said the criminals are using virtual private networks to siphon stolen information from hacked companies so the stream of exiting data often goes undetected by the victim. They've also wised up to encrypting their hard drives so even when they're captured by authorities, evidence stored on their computers can't be cracked. [ Read more ... ]