Continue reading »]]> DAILY NEWS

February 18th 2010

http://www.nydailynews.com/news/2010/02/18/2010-02-18_kneber_botnet_virus_attacks_75000_computers_worldwide_including_us_government_sy.html

A new computer virus has infected almost 75,000 computers worldwide – including 10 U.S. government agencies – collecting login credentials from online financial, social networking sites and email systems and reporting back to hackers.

The virus, dubbed the Kneber botnet, is thought to be the brainchild of an Eastern European criminal group that is likely selling the information on the black market, according to the Internet security firm NetWitness, which uncovered the attacks in January.

The attacks are continuing and corporate losses are still being compiled, said NetWitness chief technology officer Tim Belcher.

The FBI, Department of State and Department of Homeland Security have been notified, Belcher said.

The crime groups “running this activity are every bit as expert at compromising systems and siphoning off information as nation states,” according to Belcher.

“They’re well funded, motivated and successful.” Hackers using the new virus have infiltrated the computer networks of more than 2,400 companies in almost 200 countries over an 18-month period, the Herndon, Va.-based computer security firm reported.

Further investigation revealed that many commercial and government systems were compromised, including 68,000 corporate login credentials and access to email systems, online banking sites, Yahoo, Hotmail and social networks such as Facebook.

Infiltrated companies include pharmaceutical giant Merck & Co., Cardinal Health Inc., software firm Juniper Networks and Paramount Pictures, the Wall Street Journal reported Thursday.

Hackers reportedly used the virus to break into computers at 10 U.S. government agencies and in one case obtained the user name and password for a soldier’s military e-mail account.

Companies in Egypt, Mexico, Saudi Arabia, Turkey and the U.S. are the most frequently targeted in the attack, according to a research paper released by NetWitness.

The attack uses a piece of software called ZeuS, designed in Eastern Europe, that takes control of large numbers of computers.

ZeuS is among the top five most reported computer infections, according to the Department of Homeland Security.

“These large-scale compromises of enterprise networks have reached epidemic levels,” said Amit Yoran, CEO of NetWitness and former Director of the National Cyber Security Division.

“Cyber criminal elements like the Kneber crew quietly and diligently target and compromise thousands of government and commercial organizations across the globe.”

Yoran said that conventional intrusion detection systems are “inadequate for addressing Kneber or most other advanced threats.”

Continue reading »]]> ‘Kill Zeus’ removes rival software from PCs, giving Spy Eye access to usernames, passwords

By Robert McMillan

IDG News Service

February 9, 2010

http://www.computerworld.com/s/article/9154618/New_Russian_botnet_tries_to_kill_rival

IDG News Service – An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called “Kill Zeus,” apparently removes the Zeus software from the victim’s PC, giving Spy Eye exclusive access to usernames and passwords.

Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own “botnet” networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses.

Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules — U.S. residents with bank accounts — who then move the cash out of the country.

Sensing an opportunity, a number of similar Trojans have emerged recently, including Filon, Clod and [Bugat], which was discovered just last month.

Spy Eye popped up in Russian cybercrime forums in December, according to Symantec Senior Research Manager Ben Greenbaum.

With its “Kill Zeus” option, Spy Eye is the most aggressive crimeware, however. The software can also steal data as it is transferred back to a Zeus command-and-control server, said Kevin Stevens, a researcher with SecureWorks. “This author knows that Zeus has a pretty good market, and he’s looking to cut in,” he said.

Turf wars are nothing new to cybercriminals. Two years ago a malicious program called Storm Worm began attacking servers controlled by a rival known as Srizbi. And a few years before that, the authors of the Netsky worm programmed their software to remove rival programs Bagle and MyDoom.

Spy Eye sells for about $500 on the black market, about one-fifth the price of premium versions of Zeus. To date, it has not been spotted on many PCs, however.

Still, the Trojan is being developed quickly and has a growing list of features, Greenbaum said. It can, for example, steal cached password information that is automatically filled in by the browser, and back itself up via e-mail. “This is interesting in its potential, but it’s not currently a widespread threat at all,” he said.

Continue reading »]]> With botnets everywhere, DDoS attacks get cheaper

By Robert McMillan ,

IDG News Service,

October 15, 2009

http://www.networkworld.com/news/2009/101509-with-botnets-everywhere-ddos-attacks.html?hpg1=bn

Cyber-crime just doesn’t pay like it used to.

Security researchers say the cost of criminal services such as distributed denial of service, or DDoS, attacks has dropped in recent months. The reason? Market economics. “The barriers to entry in that marketplace are so low you have people basically flooding the market,” said Jose Nazario, a security researcher with Arbor Networks. “The way you differentiate yourself is on price.”

Criminals have gotten better at hacking into unsuspecting computers and linking them together into so-called botnet networks, which can then be centrally controlled. Botnets are used to send spam, steal passwords, and sometimes to launch DDoS attacks, which flood victims’ servers with unwanted information. Often these networks are rented out as a kind of criminal software-as-a-service to third parties, who are typically recruited in online discussion boards.

DDoS attacks have been used to censor critics, take down rivals, wipe out online competitors and even extort money from legitimate businesses. Earlier this year a highly publicized DDoS attack targeted U.S. and South Korean servers, knocking a number of Web sites offline.

Are botnet operators having to cut costs like other businesses in these troubled economic times? Security researchers don’t know if that’s been a factor, but they do say that the supply of infected machines has been growing. In 2008, Symantec’s Internet sensors counted an average of 75,158 active bot-infected computers per day, a 31 percent jump from the previous year.

DDoS attacks may have cost hundreds or even thousands of dollars per day a few years ago, but in recent months researchers have seen them going for bargain-basement prices.

Nazario has seen DDoS attacks offered in the US$100-per-day range, but according to SecureWorks Security Researcher Kevin Stevens, prices have dropped to $30 to $50 on some Russian forums.

And DDoS attacks aren’t the only thing getting cheaper. Stevens says the cost of stolen credit card numbers and other kinds of identity information has dropped too. “Prices are dropping on almost everything,” he said.

While $100 per day might cover a garden-variety 100MB/second to 400MB/second attack, it might also procure something much weaker, depending on the seller. “There’s a lot of crap out there where you don’t really know what you’re getting,” said Zulfikar Ramzan, a technical director with Symantec Security Response. “Even though we are seeing some lower prices, it doesn’t mean that you’re going to get the same quality of goods.”

In general, prices for access to botnet computers have dropped dramatically since 2007, he said. But with the influx of generic and often untrustworthy services, players at the high end can now charge more, Ramzan said.

Continue reading »]]> Being part of a botnet is no fun. Your computer becomes your worst enemy, watching everything you do, collecting all of your secrets, and then delivering all that data to the bot-herder; the person who originated the network. But what does it really mean to be part of a botnet, and is there anything that can you do about it?

According to a report from The Associated Press, Internet security company Prevx recently discovered a Web site that was being used as a storage facility for data stolen from 160K infected computers, and the discovery offers an interesting case study.

The storage site was hosted in the Ukraine and its contents showed that the botnet was harvesting data. Information found included passwords, social security numbers, credit card numbers, addresses, telephone numbers and other personal information; quite a treasure chest if you’re into identity theft.

“One Southern California 22-year-old could be seen registering a domain name with 
GoDaddy.com, changing his Yahoo e-mail password and ordering a meal online from Pizza Hut. His credit card number, birth date, telephone number, address and passwords are now all in criminals’ hands, though it’s unclear what, if anything, criminals have done with the information yet,” the AP notes.

But it wasn’t just individuals that were targeted. According to the article, both government and bank sites had also been compromised. The Associated Press contacted one bank customer whose Social Security number and other personal details were compromised during the attack, only to learn that he hadn’t been notified by the bank.