Search the Community
Showing results for tags 'botnet'.
-
Hello i am buying Stealer Botnet Keylogger logs which contains email password or username password please get intouch with me on ICQ or SKype i can pay via Bitcoins Perfect Money Webmoney and Paypal also available Thank you
-
On 29 November 2017, the Federal Bureau of Investigation (FBI), in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and private-sector partners, dismantled one of the longest running malware families in existence called Andromeda (also known as Gamarue). This widely distributed malware created a network of infected computers called the Andromeda botnet[1] . According to Microsoft, Andromeda’s main goal was to distribute other malware families. Andromeda was associated with 80 malware families and, in the last six months, it was detected on or blocked an average of over 1 million machines every month. Andromeda was also used in the infamous Avalanche network, which was dismantled in a huge international cyber operation in 2016. Steven Wilson, the Head of Europol’s European Cybercrime Centre: “This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.” One year ago, on 30 November 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners, had dismantled the international criminal infrastructure Avalanche. This was used as a delivery platform to launch and manage mass global malware attacks such as Andromeda, and money mule recruitment campaigns. Insights gained during the Avalanche case by the investigating German law enforcement entities were shared, via Europol, with the FBI and supported this year’s investigations to dismantle the Andromeda malware last week. Jointly, the international partners took action against servers and domains, which were used to spread the Andromeda malware. Overall, 1500 domains of the malicious software were subject to sinkholing[2] . According to Microsoft, during 48 hours of sinkholing, approximately 2 million unique Andromeda victim IP addresses from 223 countries were captured. The involved law enforcement authorities also executed the search and arrest of a suspect in Belarus. Simultaneously, the German sinkhole measures of the Avalanche case have been extended by another year. An extension of this measure was necessary, as globally 55 per cent of the computer systems originally infected in Avalanche are still infected today. The measures to combat the malicious Andromeda software as well as the extension of the Avalanche measures involved the following EU Member States: Austria, Belgium, Finland, France, Italy, the Netherlands, Poland, Spain, the United Kingdom, and the following non-EU Member States: Australia, Belarus, Canada, Montenegro, Singapore and Taiwan. The operation was supported by the following private and institutional partners: Shadowserver Foundation, Microsoft, Registrar of Last Resort, Internet Corporation for Assigned Names and Numbers (ICANN) and associated domain registries, Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), and the German Federal Office for Information Security (BSI). The operation was coordinated from the command post hosted at Europol’s HQ. [1] Botnets are networks of computers infected with malware, which are under the control of a cybercriminal. Botnets allow criminals to harvest sensitive information from infected computers, such as online banking credentials and credit card information. A criminal can also use a botnet to perform cyberattacks on other computer systems, such as denial-of-service attacks. [2] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. When employed at a 100% scale, infected computers can no longer reach the criminal command-and-control computer systems and criminals can therefore no longer control the infected computers. The sinkholing infrastructure captures victims’ IP addresses, which can subsequently be used for notification and follow-up through dissemination to National CERTs and network owners. Crime areas Source: Cybercrime Forgery of Administrative Documents and Trafficking therein
-
- 1
-
- steven wilson
- andromeda
-
(and 2 more)
Tagged with:
-
I have a software requires a lot of installation on the pc If you have a botnet to install it Add my skype: Madckcc@hotmail.com We can talk about the price details My needs are unlimited as long as you can install
-
- 1
-
I have a software requires a lot of installation on the pc If you have a botnet to install it Add my skype: Madckcc@hotmail.com We can talk about the price details My needs are unlimited as long as you can install
-
Neutrino Bot - The main functional * HTTP (S) flood (methods GET \ POST) * Smart DDoS * AntiDDOS flood (Emulation js \ cookies) * Slowloris flood * Download flood * TCP flood * UDP flood * Loader (exe, dll, vbs, bat ... + can specify parameters for running the file) * Keylogger (Multilanguage) (support for virtual keyboards (removal of screenshots in the clique size 60x60)) (possibility to monitor the specified window) * Command shell (remote command execution using shell windows) * Stealing files by mask (eg bitcoin wallets) * Launch the browser with one of these links (aka Cheaters views) * Spoofing Hosts * Stilling Win keys * Reproduction (USB \ Archive) * Purity downloads (number found "neighbors" on the computer) * Identifying the installed AV (on all Windows except Server) * Update * Work through the gasket - Additional Features * Anti debugging * AntiVM * Detect sandboxes * Detect all online services automatic analysis * BotKiller * Bot protection (protection process \ file \ registry branches) * Unlimited number of concurrent commands (Some teams have a higher priority than others, and their execution stops others) * Unlimited number of backup domain * Quiet operation even under a limited account * Do not load the CPU - Functional admin * Flexible system for creating jobs * Detailed statistics for bots * Ability to give commands to each country separately or bot * Customizable otstuk bots * Sort bots in Articles IP \ Live \ Country \ OS * System Bans. - Weight uncompressed binary file ~ 50kb (PL - C) - Boat tested on the entire line of Windows, from XP to 8.1 (x32/64) Nb(password=neutrino).7z — RGhost — file sharing Good Luck !!!
-
("Julius Kivimaki was found guilty of 50,700 "instances of aggravated computer break-ins" - mic si al dracu' ) SURSA A teenager involved in series of high profile cyber attacks has been convicted for his crimes in Finland. Julius Kivimaki was found guilty of 50,700 "instances of aggravated computer break-ins". Court documents state that his attacks affected Harvard University and MIT among others, and involved hijacking emails, blocking traffic to websites and the theft of credit card details. Despite the severity of the crimes, the 17-year-old has not been jailed. Instead, the District Court of Espoo sentenced the youth - who had used the nickname Zeekill - to a two-year suspended prison sentence. It also confiscated his PC and ordered him to handover €6,588 (£4,725) worth of property obtained through his crimes. Judge Wilhelm Norrmann noted that Kivimaki had only been 15 and 16 when he carried out the crimes in 2012 and 2013. "[The verdict] took into account the young age of the defendant at the time, his capacity to understand the harmfulness of the crimes, and the fact that he had been imprisoned for about a month during the pre-trial investigation," said a statement from the court. One consultant, who advises Europol and others on cybercrime matters, expressed concern about the sentence. "Whilst I'm sure the courts considered all the circumstances surrounding the conviction and the sentence that was warranted, there is a question as to whether such sentences will act as a deterrent to other hackers," said the consultant, Alan Woodward. "It is not necessarily the place of the courts to factor in deterrence in their sentences. "However, if I were another hacking group, was not that bothered about just having something on my record, and saw someone attract a suspended sentence for over 50,000 hacks, some of which caused significant damage, I don't think it would cause me much concern," he added. Credit card fraud Kivimaki was able to compromise more than 50,000 computer servers by exploiting vulnerabilities in a software program they ran called ColdFusion. By doing so, he was able to install "backdoors" into tens of thousands of the computers, which allowed him to retrieve information stored on them. Prosecutors had accused the teenager of adding malware to about 1,400 of the servers. They said this let him create a botnet, which he used to carry out denial of service (DoS) attacks on other systems - an action that bombards affected computers with internet traffic causing them to become overwhelmed. Chat logs discovered on Kivimaki's PC indicated he had used the botnet to attack the news site ZDNet and the chat tool Canternet. Kivimaki was also accused of helping steal seven gigabytes worth of data, sent to and from email addresses ending in @mit.edu - the system used by the Massachusetts Institute of Technology. The court was told that MIT's traffic was redirected to a website hosted on a server run by Harvard University, where it could be examined. The company that provided MIT's email infrastructure, Educause, said it had incurred more than $213,000 (£139,000) worth of costs as a consequence. In addition, Kivimaki was accused of obtaining credentials to access accounts belonging to MongoHQ, a Californian website database provider, which allowed him to search billing and payment card information belonging to its clients. Kivimaki was said to have subsequently used stolen credit information to successfully make online purchases on 21 occasions as well as to have shared the information with others. Evidence shown to the court included orders for champagne and shop vouchers. Kivimaki was also accused of being involved in a money laundering scheme involving the virtual currency Bitcoin, which he was said to have used to fund a trip to Mexico. He was eventually arrested in September 2013. The security blogger Brian Krebs had previously linked Kivimaki to a notorious hacking group called Lizard Squad, which was involved in a separate, later series of attacks on Sony and Microsoft. However, Lizard Squad's activities were not mentioned in the court documents.
-
The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks. The Obama administration has proposed an amendment to existing United Stated federal law that would give it a more powerful tool to go after botnets such as GameOver Zeus, Asprox and others. In recent years, Justice, along with private security firms and law enforcement agencies in Europe, have taken down various incarnations of a number of major botnets, including GameOver Zeus and Coreflood. These actions have had varying levels of success, with the GOZ takedown being perhaps the most effective, as it also had the effect of disrupting the infrastructure used by the CryptoLocker ransomware. As part of those takedown operations, the Department of Justice files civil lawsuits against alleged operators of the botnets, and sometimes their hosting providers, and also obtains injunctions that enable the government to sinkhole C2 servers or take physical control of those machines. Now, the administration would like to expand those powers. “One powerful tool that the department has used to disrupt botnets and free victim computers from criminal malware is the civil injunction process. Current law gives federal courts the authority to issue injunctions to stop the ongoing commission of specified fraud crimes or illegal wiretapping, by authorizing actions that prevent a continuing and substantial injury. This authority played a crucial role in the department’s successful disruption of the Coreflood botnet in 2011 and the Gameover Zeus botnet in 2014,” Leslie R. Caldwell, assistant attorney general in the criminal division at the Department of Justice, wrote in a blog post explaining the administration’s position. “The problem is that current law only permits courts to consider injunctions for limited crimes, including certain frauds and illegal wiretapping. Botnets, however, can be used for many different types of illegal activity. They can be used to steal sensitive corporate information, to harvest email account addresses, to hack other computers, or to execute DDoS attacks against web sites or other computers. Yet — depending on the facts of any given case — these crimes may not constitute fraud or illegal wiretapping. In those cases, courts may lack the statutory authority to consider an application by prosecutors for an injunction to disrupt the botnets in the same way that injunctions were successfully used to incapacitate the Coreflood and Gameover Zeus botnets.” In order to obtain an injunction in these cases, the government would need to sue the defendants in civil court and show that its suit is likely to succeed on its merits. “The Administration’s proposed amendment would add activities like the operation of a botnet to the list of offenses eligible for injunctive relief. Specifically, the amendment would permit the department to seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim computers have been hacked. This numerical threshold focuses the injunctive authority on enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread attacks on computers using malicious software (such as “ransomware” ),” Caldwell wrote. One hundred machines is a low number for a botnet, and indeed would barely even qualify as a botnet in today’s environment, which includes many networks comprising hundreds of thousands or millions of compromised PCs. Mark Jaycox, a legislative analyst for the EFF, said that the proposal from the Obama administration may be overreaching. “The blog post posits that IP/trade secret concerns are reasons that are not already covered to take down botnets. That’s a civil/private context and we’ve seen private companies use the Lanham Act to handle that angle. Seems like the DOJ is pushing for a more expansive law. As of now, we’ve seen DOJ been able to handle takedowns with the resources and laws that are already provided to them,” Jaycox said. “We’d like to see a particular use case where they couldn’t use their already aggressive interpretation of the current law to take down botnets. If anything, we should be narrowing the current anti-hacking statute and computer laws because of their excessive breadth.” Source
-
Euro cybercrime cops have taken down the RAMNIT botnet, which has infected 3.2 million computers worldwide, including 33,000 in the UK. The National Crime Agency's cybercrime unit worked with cops in the Netherlands, Italy and Germany to shut down command-and-control servers used by the botnet. One of the servers was housed in Gosport, Hampshire. RAMNIT spread malware via innocuous-looking links sent in phishing emails or social networking websites, and has mainly been used to take money from bank accounts from people running Windows OSes. Europol was alerted to RAMNIT by Microsoft, after data analysis showed a big increase in infections. The operation to take down RAMNIT was co-ordinated by the Joint Cybercrime Action Taskforce based at Europol’s European Cybercrime Centre. “This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites," said Steve Pye of the NCA’s national cybercrime Unit. “As a result of this action, the UK is safer from RAMNIT, but it is important that individuals take action now to disinfect their machines, and protect their personal information," he added. The NCA is advising people to check whether their computer has been infected by downloading specialist disinfection software, which is available free of charge at CyberStreetWise or GetSafeOnline. Analysis is now taking place on the servers and an investigation is ongoing, said the NCA source
-
Introduction Botnets are still considered one of the most dangerous cyber threats. These malicious networks of compromised machines are used by cyber criminals and state-sponsored hackers for numerous activities, including DDoS attacks, spam campaigns, and financial scams. The principal problem for a botmaster is to make a botnet resilient against operations run by law enforcement. For operators it is essential to hide Command and Control servers and network traffic to avoid takeover of the malicious infrastructure. The Tor network offers a privileged environment for botmasters that could exploit the popular anonymizing network to hide the C&C servers. Tor botnets During the Defcon Conference in 2010, security engineer Dennis Brown discussed Tor-based botnets, highlighting pro and cons of the choice to hide C&C servers in the Tor network. The principal advantages of Tor-based botnets are: Availability of Authenticated Hidden Services Availability of Private Tor Networks Possibility of Exit Node Flooding Security researchers use traffic analysis to detect botnet activities and to localize the C&C servers. Typically they do this by using Intrusion Detection Systems and network analyzers. Once they’ve detected a botnet, the researchers and law enforcement have different options to eradicate it: Obscuration of the IP addresses assigned to the C&C server Cleaning of server hosting botnet and of the compromised hosts Domain name revoke Hosting provider de-peered The botnet traffic is routed to the C&C server through the Tor network that encrypts it, making its analysis more difficult. Brown proposed the following two botnet models that exploit the Tor network: “Tor2Web proxy based model” “Proxy-aware malware over Tor network” Tor2Web proxy based model” The routing mechanism relies on the Tor2Web proxy to redirect .onion web traffic. The bot has to connect to the hidden service passing through the Tor2Web proxy pointing to an onion address that identifies the C&C server that remains hidden. The principal problem related to this approach is that it is easy to filter Tor2Web traffic, and a similar configuration could suffer from considerable latencies due to the Tor network that could make a botnet built with this approach unresponsive. “Proxy-aware Malware over Tor network” This approach is based on making use of proxy-aware malware. Due to the absence of the Tor2Web service, the bot agents have to run Tor clients on the infected hosts. The main difference with respect to the first solution is in the requirements for the bot agents and their configuration. Bots need to have SOCKS5 support to reach .onion addresses through the Tor network by loading Tor on the victims’ systems. This second approach is more secure because traffic isn’t routed through a proxy and it is entirely within the Tor network due the direct connection between Bots and C&C servers. This configuration avoids traffic interception from exit nodes that are not involved in the architecture. This approach is more complex from a Bot perspective due to the complexity in managing the SOCKS5 interface and in botnet synchronization. This kind of botnet could be easily detected by the presence of Tor traffic on a network. Strengths and weaknesses of Tor botnets Among the strengths: Botnet traffic masquerades as legitimate Tor traffic Encryption prevents most Intrusion Detection Systems from finding botnet traffic P2P architecture makes botnets more resilient to take down Difficulty for the localization of the command and control servers (C&C) Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing. The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service. Among the weaknesses: Complexity of botnet management Risk of botnet fragmentation Latency in the communication Tor botnets: real cases The Skynet botnet One of the first examples of a Tor based botnet is the Skynet botnet that was discovered in December 2012 by experts at G-Data and Rapid7. The bot was a strain of the popular Zeus trojan, which included a Tor client for Windows and a bitcoin mining tool. The researchers at G-Data also reported that Skynet used hidden IRC services with Tor to control the malicious architecture. The Skynet botnet can fulfill different tasks such as mining bitcoin or providing bot agents to involve in illegal activities such as DDoS attacks or spam campaigns. Figure 1 – Tor botnet Mevade botnet Going forward in time, we find the Mevade botnet (a.k.a Sefnit, LazyAlienBiker). In September 2013 it caused a spike in the number of Tor users, which reached 5 million active users. Figure 2 – Tor metrics: Mevade spikes Tor users Authors of Mevade’s Tor variant appear to use the Russian language. The purpose of the botnet was the installation of adware and toolbars onto the victim’s systems, mine Bitcoin and steal sensitive information from the infected PC. Experts at TrendMicro revealed that the Mavade malware had also a “backdoor component and communicates over SSH to remote hosts” that made the agent ideal for data theft. The Atrax crimekit In November 2013, researchers from Danish security firm CSIS discovered a new crimekit, dubbed Atrax, which was sold in the underground market. One of the main features implemented by its authors is the ability to exploit Tor networks to communicate with Command & Control servers. The Atrax crimekit was cheap – it was offered for $250, and among the other features implemented by its authors, there were: Virtual currency mining (Bitcoin mining and Litecoin mining) Browser data extraction Availability of a module to run DDoS attacks that offers complete support for both Full IPv6 and IPv4 and implements principal attack techniques including UDP Flood, TCP Flood, TCP Connect Flood, HTTP Slowloris, and many other methods. Data stealing, including Bitcoin wallets (such as Armory, Bitcoin-Qt, Electrum and Multibit). Figure 3 – Atrax crimekit The Atrax crimekit has a modular structure. The malware includes a series of add-ons that implement the functionalities described. A plugin which implements a data stealer was sold for $110, the form grabber runs for $300, and an experimental add-on for coin mining was sold for $140. It’s interesting to note that the Atrax crimekit was sold with free updates, bug fixes and support. Below a list of standard features present in the Atrax crimekit: Kill Update Download (over Tor), Execute (Commandline-Parameter allowed) Download (over Tor), Execute (Commandline-Parameter allowed) in memory Install Plugin Installation List (A list with all installed applications) 64-bit ZeuS banking trojan using Tor network In December 2013, security researchers at Kaspersky Lab detected a new strain of the popular Zeus trojan. The new variant was designed to operate on 64-bit, and authors enhanced the malicious code with the support of communication through the Tor network. This version of the popular banking trojan also used a web injection mechanism to steal banking credentials from the victim’s browser. It was also able to steal digital certificates and implement a keystrokes feature. The authors implemented a communication mechanism with the C&C server over the Tor network, a feature that makes it more difficult for law enforcement and security firms to track botnets. The 64-bit version of the Zeus banking trojan executes a Tor component, starting the svchost application in suspended mode and then injecting the Tor code into that process, running it in a stealth mode. The malicious traffic was routed through TCP port 9050 and the stolen data were sent to the onion domain with address egzh3ktnywjwabxb [.] onion. “Tor.exe is launched indirectly — ZeuS starts the system svchost.exe application in suspended mode, then injects the tor.exe code into this suspended svchost.exe process, tunes the code to run properly and resumes execution of the suspended svchost,” Tarakanov explains. “As a result, instead of the system svchost.exe, the process actually starts executing tor.exe.” states the blog post published on SecureList. Figure 4 -The Tor utility under the cover of the svchost.exe process creates an HTTP proxy server Another peculiarity of the malware is that it instantiates a hidden service that creates a configuration file for any victims, which includes a unique private key for the service and an exclusive domain. The feature allows the botmaster to control the architecture via Tor. “The botnet operator will be aware of the generated onion domain related to every infected machine as the malware informs the CnC about its tor domain name. So, when an infected machine is online the botnet operator can reach it connecting to its unique onion domain via the Tor network. One purpose of this approach is the remote control of the infected host. For example, one of these ports specifically listens to in the VNC function of ZeuS, obviously meaning that ZeuS provides remote desktop control to the operator via this port,” continues the post. This version of the Zeus trojan was able to trigger its execution after one program within a list of 100 predefined applications is started. ChewBacca financial malware In early 2014 the researchers at RSA discovered a variant of the banking Trojan ChewBacca that was used to steal credit card data from infected POS systems. Also in this case, the botnet was controlled by servers hidden in the Tor network. According to the experts at RSA, the botnet based on the ChewBacca POS variant was used against customers in at least 11 countries (including US, Russia, Canada and Australia) since October 25, 2013. The malware was able to steal credit card data with “keylogger” capabilities or dumping the memory content of POS systems in search for credit card details. The bot is able to collect track 1 and track 2 data of payment card during purchases. “Chewbacca code was compiled with Free Pascal 2.7.1., once executed windows based system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25.” “After execution, the function “P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL” is called, which drops itself as “spoolsv.exe” into the “Startup folder” (e.g. C:Documents and SettingsAll UsersStart MenuProgramsStartup) and requests the public IP of the victim via a publicly accessible service at http://ekiga.net/ip (which is not related to the malware). Tor is dropped as “tor.exe” to the user-s Temp and runs with a default listing on “localhost:9050?.” Figure 5 – ChewBacca console The Bifrose malware In August 2014, researchers from TrendMicro detected a new variant of the Bifrose malware leveraging on the Tor network. The new variant of the Bifrose backdoor was used in a targeted attack against a device manufacturer. Bifrose has been around for many years, and it is quite easy to acquire in the underground. The malware has a data stealing ability, but it is mostly popular for its keylogging routines. The variant detected by the malware experts at TrendMicro (detected as BKDR_BIFROSE.ZTBG-A – hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) leverages the Tor network to hide communications between the infected machines and the C&C server. “What makes this variant more elusive is its ability of Tor to communicate with its command-and-control [C&C] server,” reports a blog post published by TrendMicro. The Bifrose malware was widely used by cyber criminals. In 2010 a threat actor targeted human resource (HR) personnel of different government offices, including the African Union and the NATO. The Bifrose variant used in the targeted attack on the device manufacturer was able to perform the following operations, as explained in the blog post: Download a file Upload a file Get file details (file size, last modified time) Create a folder Delete a folder Open a file using ShellExecute Execute a command line Rename a file Enumerate all windows and their process IDs Close a window Move a window to the foreground OnionDuke: APT Attacks exploited the Tor Network In November 2014, the experts from F-Secure discovered a link between the crew operating a rogue Tor node used to spread OnionDuke malware and MiniDuke APT. Just a month before, the security researcher Josh Pitts of Leviathan Security Group identified a Russian Tor exit node that was patching the binaries downloaded by the users with malware. The expert reported it to officials of the Tor Project, who flagged the Tor exit node as bad and shut down it. Further investigations on the case revealed that the threat actors that managed the node were serving malware through the explained scheme for more than a year. Figure 7 – OnionDuke infection The bad actors used the Tor exit node to serve a backdoor, dubbed OnionDuke, to the victim’s machine with a man-in-the middle attack in the downloading phase. Security experts at F-Secure discovered that the rogue exit node was tied to the MiniDuke criminal crew. MiniDuke is the name of a sophisticated cyber espionage campaign discovered in 2013 by experts at Kaspersky Lab and Hungary’s Laboratory of Cryptography and System Security (CrySyS). The MiniDuke APT infected dozens of machines at government agencies across Europe. Exploiting a security flaw in Adobe software, the malicious payload is dropped once the victim opens the malicious PDF file. The malware was used by attackers to steal sensitive data from government and high profile entities. The researchers speculated that the level of sophistication and the nature of the chosen targets suggest that the attacks are part of a state-sponsored espionage campaign. According to the experts, “OnionDuke,” the malware spread through the bogus exit node, is a malware different from the ones used in the past by the threat actors behind the MiniDuke crew. It must be noted that all five domains contacted by OnionDuke aren’t dedicated malicious servers. Instead, they are legitimate websites compromised by threat actors. The experts identified different samples of the malware and multiple other components of the OnionDuke malware family, which were designed to execute specific tasks like data stealing. The analysis of the various samples allowed the researchers at F-Secure to discover the link with the MiniDuke gang. The owner of the Command & Control (C&C) server used to control a sample of the OnionDuke backdoor (W32/OnionDuke.A) is the same that was involved in the MiniDuke agent. This circumstance suggests that although OnionDuke and MiniDuke are two separate strains of malware, the threat actors behind them shared the control infrastructure. “One component, however, is an interesting exception. This DLL file (SHA1 d433f281cf56015941a1c2cb87066ca62ea1db37, detected asBackdoor:W32/OnionDuke.A) contains among its configuration data a different hardcoded C&C domain, overpict.com and also evidence suggesting that this component may abuse Twitter as an additional C&C channel. What makes the overpict.com domain interesting, is it was originally registered in 2011 with the alias of ‘John Kasai’. Within a two-week window, ‘John Kasai’ also registered the following domains: airtravelabroad.com, beijingnewsblog.net, grouptumbler.com, leveldelta.com, nasdaqblog.net, natureinhome.com, nestedmail.com, nostressjob.com, nytunion.com, oilnewsblog.com, sixsquare.net and ustradecomp.com. This is significant because the domains leveldelta.com and grouptumbler.com have previously been identified as C&C domains used by MiniDuke,” reports F-Secure in the blog post. CryptoWall Ransomware is resurrected with new features In early 2015, the researchers at Cisco’s Talos group published an analysis of a new variant of Cryptowall ransomware that implements a series of new features, including the exploitation of the Tor anonymity network to hide its command-and-control infrastructure. The new variant of CryptoWall was improved by cyber criminals that applied the necessary modifications to its code to make it resilient to the operation of law enforcement. Cisco’s Talos Security Intelligence and Research Group reported that the new strain of the CryptoWall ramsonware is able to distinguish between 32- and 64-bit architectures and to execute different versions for each and OS, including the newest versions of Mac OS X. “The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper,” states the report. The attack chain starts with a phishing mail that includes the CryptoWall variant in a “.zip” attachment. The compressed archive included an exploit that relies a Microsoft privilege escalation vulnerability (CVE-2013-3660) to compromise the target machine. “CryptoWall 2.0 can be delivered through multiple attack vectors, including email attachments, malicious pdf files and even various exploit kits. In the sample that we analyzed, the dropper utilized CVE-2013-3660, ‘Win32k.sysElevation of Privilege Vulnerability’ to achieve the initial privilege escalation on X86 based machines. This exploit works on 32 bit OSs starting beginning with Vista. The dropper even includes a 64-bit DLL that is able to trigger the exploit in all the vulnerable AMD64 Windows Systems.” This new variant of CryptoWall also implements an anti-VM and anti-emulation check pass that prevents the execution in a virtualized environment for malware analysis. CryptoWall implements a multistep decryption. In the first phase, it decrypts just a first portion of code to check if it is running in a virtualized environment. If it passes the check, it then continues to decrypt. According to the Cisco researchers, the feature could be exploited to prevent the execution of the malware by adding fake entries in the file system that indicate a virtual machine is running. Once it has infected the machine, the sample connects to the Tor Servers with an encrypted SSL connection on port 443 or 9090. The C&C servers discovered by the researchers were using the following Tor URLs: crptarv4hcu24ijv.onion crptbfoi5i54ubez.onion crptcj7wd4oaafdl.onion “Using hardcoded IP address in the PE, the malware connects to the TOR Server with an encrypted SSL connection on port 443 or 9090. After successfully connecting, it starts to generate the Cryptowall domain names using a customized Domain Generation Algorithm (DGA). The algorithm is located at offset + 0x2E9FC.” Citroni ransomware Recently a security researcher analyzed a new ransomware dubbed Critroni, which is being sold in different underground forums. Critroni (aka CTB-Locker) is the name of a new ransomware that has been recently included in the Angler exploit kit. A detailed analysis of the ransomware was posted on “Malware.dontneedcoffee.com” by the French security researcher Kafeine. Critroni implements many functionalities, including the ability to exploit the Tor network to host its command and control. “Placing a server in onion-domain (TOR), close to domain abuse can not be practically impossible to trace the owner and shut down the server. Connection to the server only after encryption of all files. Early Detection is not possible on the traffic, it is impossible to block the work of the locker. Blocking TOR prevents only payment the user, not the program. Analogs are connected to the server until the crypt and can block,” states the ad for the malware. The experts explained that the success of the Critroni ransomware was advantaged by the takedown of the GameOver Zeus managed by law enforcement last year. The botnet in fact was used by cyber criminals to serve CryptoLocker ransomware. Around the same time in mid-June, security researchers began seeing advertisements for the Critroni ransomware on underground forums. The malware was sold for around $3,000. The Critroni agent was initially spread exclusively in Russia; later its presence was detected in many other countries worldwide. Many criminal groups are using Citroni for their extortion activities. They used to serve the ransomware as part of the Angler exploit kit, which serves a spambot on victims’ machines. The spambot module is used by malware authors to drop a couple of other payloads. One of them is Citroni. Critroni encrypts a variety of files on the targeted machine and then displays a dialogue box that demands a payment in Bitcoins in order to decrypt the files. Figure 8 – Citroni ransomware Victims have to pay the ransom within 72 hours. If they haven’t any Bitcoins, the ransomware provides detailed instructions on how to acquire them. I2P botnet: real cases Not only Tor network – CryptoWall 3.0 uses I2P network The Tor network isn’t the only anonymizing network exploited by malware authors to hide their malicious infrastructure. In early 2015 a new version of the infamous CryptoWall ransomware was spotted by Microsoft, just a week after the Cisco’s Talos Security Intelligence and Research Group announced the discovery of a new strain of the same malware that exploits the Tor network. The new variant of CryptoWall ransomware, like others, is distributed via malicious email and through malvertising campaigns. This variant was dubbed by the researchers CryptoWall 3.0 or Win32/Crowti, and it isn’t so different from previous instances. However, the experts noted that the names of the files containing the ransom demand have been changed to “HELP_DECRYPT.” This variant customizes files for each infected machine and provides victims a personalized link to a page that contains includes instructions. The instruction page is still reached through the Tor network. The victims of the CryptoWall 3.0 are given 7 days to pay $500 in Bitcoins if they want to decrypt their documents, but if they don’t pay in 7 days, the ransom increases to $1,000. On January 12, Microsoft identified 288 unique CryptoWall ver. 3.0 infections. “The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware,” reads the post published Microsoft. Figure 9 – Cryptowall ver. 3.0 infections The French researcher Kafeine who analyzed CryptoWall 3.0 reported that the communications to C&C served are encoded with the RC4 cipher. Another feature implemented in the latest variant of the malware is the support of I2P (Invisible Internet Project) for C&C communications. “It seems communication with the C&C are Rc4 encoded (key seems to bealphanum sorted path of the POST ) and using i2p protocol,” said Kafeine. I2P is another anonymizing network used to hide the location of the control servers and make the botnet resilient the C&C to the law enforcement. Also recently, a new version of the popular black market Silk Road, Silk Road Reloaded, migrated on I2P, probably because at this moment there is the conviction that it is more secure than Tor. It happens now … new Dyre banking trojan variant A few days ago, the experts at TrendMicro spotted a new variant of the DYRE /Dyreza banking malware with new propagation and evasion techniques. The malware is spread through malicious emails containing the Upatre downloader disguised as a fax or the details of a package delivery, but once it is executed, the download drops the new Dyre variant, which in turn downloads the WORM_MAILSPAM.XDP worm. The propagation technique implemented by the cyber criminals is very effective. The worm exploits the Microsoft Outlook email client present on the victim’s machine to spread spam emails with the Upatre downloader attached to them. The emails aren’t sent to the victim’s contacts, instead they are sent to email addresses passed by the C&C server. Once the emails are sent by the worm, it deletes itself. This variant of Dyre uses hard-coded addresses for its IP addresses. The malware authors also implemented backup mechanisms for command and control infrastructure that rely on a URL provided by the malware’s domain generation algorithm (DGA) or a hard-coded address of a C&C server hidden on the Invisible Internet Project (I2P) network. Figure 10 – Dyre I2P In this case, the I2P network is used as a supplementary way to control the botnet, a choice to make it more resilient to attacks. Conclusion Security experts believe that malware authors will continue to exploit anonymizing networks like Tor and I2P. Analyzing the timeline of malware detections made by principal security firms, cyber criminals have been increasing the adoption of such networks since 2012. Figure 11 – Malware in the Deep Web (Security Affairs) Malware authors will exploit the Deep Web basically as a backup mechanism for their botnet and to make them more resistant to various kinds of attacks operated by law enforcement. References Skynet, the potential use of Tor as a bulletproof botnet - Security Affairs | Security Affairs OnionDuke: APT Attacks exploited the Tor Network | Security Affairs New crimekit Atrax exploits Tor, mines Bitcoin and much more | Security Affairs Detected 64-bit ZeuS banking trojan using Tor network | Security Affairs http://securityaffairs.co/wordpress/27885/cyber-crime/bifrose-uses-tor.html http://blogs.cisco.com/security/talos/cryptowall-2 http://malware.dontneedcoffee.com/2014/07/ctb-locker.html http://securityaffairs.co/wordpress/26763/cyber-crime/critroni-ransomware-use-tor.html http://securityaffairs.co/wordpress/31993/cyber-crime/cryptowall-ransomware-2-0.html http://securityaffairs.co/wordpress/21795/malware/tor-based-chewbacca-infect-pos.html https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit https://www.defcon.org/images/defcon-18/dc-18-presentations/D.Brown/DEFCON-18-Brown-TorCnC.pdf https://blog.gdatasoftware.com/blog/article/botnet-command-server-hidden-in-tor.html http://securityaffairs.co/wordpress/13747/cyber-crime/http-botnets-the-dark-side-of-an-standard-protocol.html http://contagiodump.blogspot.it/2014/11/onionduke-samples.html?m=1 http://securelist.com/blog/events/58184/the-inevitable-move-64-bit-zeus-enhanced-with-tor/ http://securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html [ulr=http://resources.infosecinstitute.com/hunting-malware-deep-web/]Source
-
After being disrupted by law enforcement in December 2013, the peer-to-peer (P2P) ZeroAccess botnet – also known as Sirefef – has resumed advertising click fraud activities, according to the Dell SecureWorks Counter Threat Unit (CTU). The team first noticed the botnet reactivating from March 21, 2014, to July 2, 2014, and then on Jan. 15 it started to distribute click-fraud templates to compromised systems, a Wednesday post indicates, noting that the botnet is made up of hosts from previous compromises and there have been no observed attempts to expand the botnet. Currently, the ZeroAccess botnet's infection base is around 55,000 systems, which is considerably lower than the reported two million systems that were infected when the botnet was taken down at the end of 2013, Jeff Williams, director of security strategy with the Dell SecureWorks CTU, told SCMagazine.com on Friday. “The current campaign may be small by design [perhaps in order to] evade detection, and it may be largely outside of the United States and Europe as a method to avoid those law enforcement agencies which were involved in the takedown operation (FBI in the U.S. and EC3 in Europe),” Williams said. According to a geographic distribution of ZeroAccess botnet peers included in the post, Japan has 15,322 hosts, or 27.7 percent of total infections. India is the runner-up with 7,446 hosts, or 13.5 percent of total infections, and the U.S. came in fifth with 2,540 hosts, or 4.6 percent of total infections. “There are a variety of ways that a criminal will infect systems with malware,” Williams said. “A common method right now is through the use of an exploit kit, embedded in a hidden frame on a webpage. In some cases, these malicious frames are part of a malicious advertising campaign and delivered through the same advertising networks which they are intending to defraud.” Threat actors typically benefit from click fraud through the cost per click model of online advertising, Williams said. He explained that “the miscreant will leverage software – often in the form of a bot – to click through advertisements repeatedly in order to either generate revenue in a [cost per click] model or to exhaust the advertising budget of a rival.” Click fraud often involves the use of a botnet so that clicks on advertisements are not seen coming from the same computer, Williams said. He explained that clicking from the same computer would trigger anti-fraud measures and that the clicks would be removed from the payout calculations, whereas using a botnet helps fraudsters remain undetected. “The losers in a click fraud scenario from a monetary perspective are the advertisers,” Williams said. “They have invested money to have their advertisements viewed by people who may be interested in their product or service. They pay a finite amount which, when the [cost per click or cost per mille] limit is reached for that campaign, their ads are no longer displayed.” Source
-
- advertising
- botnet
-
(and 3 more)
Tagged with:
-
Stie cineva un botnet cu functie de shutdown? Sau un program care pot stinge pcu din alt pc?
-
http://youtu.be/rbf9_O1fo_w [GRABS THE LATEST Internet Explorer, Firefox, Chrome Browsers] [Form grabber] (Ring3 Rootkit) (Steals all latest browsers) (Steals HTTPS and HTTP) (All Logins) (This Tutorial is for Educational Purpose Only. You agree to take sole responsibility for however you apply this knowledge) Download link: | Yahoo Messenger: cenzurat | Skype: cenzurat
-
Sall. Care e cel mai bun botnet care are ddos HTTP si udp?
-
Data breaches and security incidents are a constant in the headlines these days. Hackers and cyber criminals are motivated by status or money and finding new innovative and more creative attacks to achieve this. One of them are, Digital Bank robbery - where the thieves didn't need masks and guns to pull off the job, all they need are - Hacking Skills, a computer and the Internet. Another way is Cyber extortion - threat of attack against an enterprise or a bank, coupled with a demand for money to avert or stop the attack. According to Haaretz news, A Hacker - who is the operator of a biggest botnet malware network in the Israel, has threatens 3 major Israeli banks, i.e. Israel Discount Bank, Bank Yahav and the First International Bank of Israel. Banks database, network and websites were not breached in this case, rather the hacker claimed that he holds a huge financial trojan botnet network in Israel that have already infected millions of systems across the nation and collected a massive dump of stolen personal information, passwords, banking information and credit card numbers of 3.7 Million users. The hacker has demanded the payoff in Bitcoin, a untraceable virtual currency, perfect for blackmailers and cyber criminals. Bitcoin is not backed by any central bank or government and can be transferred "peer to peer" between any two people anywhere. Banks declined to comment on the report and immediately reported the threat to the Israel Police. According to the source, some of them do not see the threat as serious. Bank of Israel held a meeting on Tuesday on the issue, we will update you soon about their next step with a new article. Cyber attacks are becoming more and more advanced and sophisticated, more or less any company in the world is on the list of targets to rob. You should keep updating your knowledge about the cyber world to Stay Safe from all threats. Source: Hacker threatens to sell data of 3.7 Million Israeli Bank Customers, demands extortion money in Bitcoin Nota personala: Sa nu fiti pacaliti ca si ziaristii sa folositi termenul hacker pentru orice Escroc care fura bani.
-
Microsoft didn’t wait long after unveiling its state-of-the-art cybercrime center to make a calculated strike against online scam artists. The new facility, based on the company campus in Redmond, Wash., is already collaborating with law enforcement agencies worldwide to disrupt the sprawling and insidious ZeroAccess botnet—which not incidentally represents a grave threat to Microsoft customers and the tech giant itself. ZeroAccess, sometimes identified as max++ or Sirefef, has harnessed the processing power of as many as 2.2 million enslaved PCs to carry out Bitcoin mining operations and other moneymaking schemes. Victims are tricked, in a variety of ways, into downloading a Trojan rootkit, which not only allows for further infiltration of a device but cleverly conceals any evidence of a malware attack, ensuring continued access. Security blogger Brian Krebs wrote about how the botnet was recently tweaked so that infected computers would participate in so-called click fraud, “the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site.” That activity costs online advertisers as much as $2.7 million a month—so while the security and privacy of Microsoft Windows users are certainly compromised, ZeroAccess is bad for business across the board. Working closely with the FBI, the cybercrime divisions of Europol and several European countries, and other industry players including A10 Networks—a sure indication of the increasingly cozy relationship between government and private tech, at least where their interests align—Microsoft filed a civil suit against eight individuals believed to be operating the ZeroAccess botnet. The company was also authorized “to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes,” according to Europol. So far, it’s been hard to gauge the impact of these moves, and it’s not as though the infected computers will be suddenly “cured.” As Krebs explained, the damage was done to “servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers.” That may significantly slow the spread of malware; stopping it altogether would be a more difficult matter. The problem, according to Dell SecureWorks researcher Brett Stone-Gross, who has studied the resilience of malicious botnets in detail, is that ZeroAccess and similar entities are built to withstand such a blow. With a peer-to-peer network that scraps any point of failure to keep the rest of the botnet active, the operators can release a new plugin “to restart their click fraud and search engine hijacking activities,” he said. Indeed, in response to the disruption the criminals swiftly uploaded a template identified as “zooclicker” to the millions of still-infected PCs and got their click-fraud scheme humming again—but it didn’t last, and the servers went down soon after. The next configuration files to appear carried the text “WHITE FLAG,” though there’s no telling if the surrender is permanent or even a simple feint. One gets the feeling, rather, that this war has just begun. Source: The Daily Dot More details: krebsonsecurity.com
-
PokerAgent botnet was discovered in 2012 by ESET Security Research Lab, which is a Trojan horse designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats. According to latest report, the botnet is still active mostly in Israel and 800 computers were infected, where over 16194 Facebook credentials stolen. The Trojan is active with many variants and belongs to MSIL/Agent.NKY family. ESET reveal that, the Trojan is coded in C# language and easy to decompile. After deep analyse, team found that the bot connects to the C&C server. On command, Trojan access the Facebook account of victim and collects the Zynga Poker stats and number of payment methods (i.e. credit cards) saved in the Facebook account. Once collected, information sent back to the C&C server. The Trojan is downloaded onto the system by another downloader component. This downloader component was seen on the web and the victims have been fooled into downloading it. ESET tracking of the botnet revealed that at least 800 computers have been infected with the Trojan and that the attacker had at least 16194 unique entries in his database of stolen Facebook credentials by March 20, 2012. "We advise careful consideration before allowing a browser or other app to ‘remember’ passwords for sensitive services and before storing credit card details into any application (not only Facebook!)." ESET advice. Via PokerAgent botnet stole over 16,000 Facebook credentials - Hacking News
-
Botnet DC++ Vand botnet'ul meu pe dc++ ( dns,160-180 boti,exe fud ) Bot'ul are asa : TCP UDP KEY Attack Mirror ( un gen de proxy ) Este destul de stabil si puternic,nu poate fi spart de nimeni ( botul poate fi controlat doar daca ai cont pe hub-ul dc++ ) Pretul este de 50 $ Paypal,Western Union,Transfer pe card Accept si teste,dar nu veniti cu target gen microsoft,google,yahoo sau ceva de genul asta Spreading Garantez 4-5K logs pe zi sau 100-150 de boti pe zi Metoda: Upload pe principalele trackere din Romania ( Filelist,ExtreameShare,Xplor,etc ) Pret 50 $ / luna , 25 $ 2 saptamani, 15 $ 1 saptamana Contact : PM