Security

A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.

Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.

Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.

But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.

"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.

This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.

Spam and botnets have hit their highest levels ever, according to McAfee's second-quarter Threats Report, released Wednesday. McAfee's Avert Labs says spam recorded in the second quarter shot up 80 percent compared with the first quarter of the year.

This follows a brief reprieve from spam following last year's shutdown of the McColo ISP. June alone saw the largest amount of spam recorded by McAfee, surpassing the previous monthly high in October by more than 20 percent. McAfee now estimates that spam accounts for 92 percent of all e-mail.

(Credit: McAfee Avert Labs)

By country, the amount of worldwide spam originating from the United States has dropped steadily over the past three quarters, but the U.S. still leads in spam production at 25.5 percent of the global market. Brazil, Turkey, India, and Poland have also seen sizable increases at producing spam.

(Credit: McAfee Avert Labs)

Zombies and botnets are on the rise, said the report, indicating that more computers are being hijacked to send spam and malware. McAfee recorded almost 14 million new zombies in action over the second quarter, a rise of more than 150,000 new zombies each day, another record.

Zombies and botnets can thank all the unprotected home computers, notes McAfee. More home users are setting up their PCs as remote access machines and as Web hosts, leaving those PCs increasingly vulnerable.

Another major threat reported by McAfee is AutoRun malware, which is triggered automatically when a person plugs in a USB stick, memory card, or other external device. The Trojans PWS-OnlineGames and PWS-Gamania and two viruses named W32/Sality and W32/Virut have propagated through removable cards and drives.

McAfee said it uncovered AutoRun malware in more than 27 million infected files during one 30-day period alone this past quarter, earning it the No. 1 spot of all malware detected worldwide.

(Credit: McAfee Avert Labs)

"The jump in bot and spam activity we saw in the last three months is alarming, and the threat from AutoRun malware continues to grow," said Mike Gallagher, senior vice president and chief technology officer of McAfee Avert Labs.

Social-networking sites are another popular target for cybercriminals, noted the report. The openness of social networks often puts them at risk.

On Facebook, people freely access different applications that require a username and password, so those apps can easily tap into their accounts. McAfee also saw an increase this past quarter in the "popular" Facebook malware Koobface.

Twitter too has seen its share of threats. In April, the site was hit by a JavaScript worm that exploited a hole to infect user profiles. The same month, a French hacker was able to gain access to the account of a Twitter product director.

The use of sites like TinyURL by tweeters to shorten a lengthy URL can also pose a problem, said McAfee. Users have no idea what Web site the TinyURL redirects to until it actually opens.

McAfee releases its Threats Report each quarter. The first-quarter report was published in May.

Spam made up 90.4 percent of all e-mail traffic in June, with botnets accounting for the vast majority of those unsolicited messages, according to a new report from Symantec's MessageLabs.

Spam sent out from botnets, or networks of zombie PCs, made up 83.2 percent of unsolicited e-mail messages this month, MessageLabs said Tuesday in a statement. In May, 57.6 percent of spam was sent from known botnets, with Donbot responsible for 18.2 percent of these messages.

According to the messaging security company, the biggest botnet currently is Cutwail, which has doubled in size and output per bot since March. At its peak, Cutwail had an army of 1.5 million to 2 million active bots, but the shutdown of Californian ISP Pricewert earlier this month led to several hours of downtime for the botnet.

Cutwail, however, bounced back within hours, noted MessageLabs. It currently has an output of around one-third of its original capacity. Other major botnets include Rustock, Grum, Donbot, Bagle, Xarvester, Mega-D, Gheg, Asprox, and Darkmailer.

Also in June, there were an average of 1,919 new Web sites per day harboring malware and other potentially unwanted programs including spyware and adware. This represented an increase of 67 percent over May.

Over half, or 58.8 percent, of all Web-based malware that MessageLabs intercepted during the month was new, a month-on-month increase of 24.6 percent.

Data from MessageLabs also shows that more hyperlinks in instant messaging conversations are stepping stones to "instant malware."

In June, 1 in 78 hyperlinks found in instant messages linked to Web sites hosting malicious content, compared with 1 in 200 at the end of 2008. The hidden malware typically tries to perform a drive-by attack on a vulnerable Web browser or browser plug-in, said the company.

One in 80 IM users, predicted MessageLabs, may receive a malicious instant message each month.

Vivian Yeo of ZDNet Asia reported from Singapore.

Home page of the Golden Cash network.

(Credit: Finjan)

Researchers at security firm Finjan said on Wednesday that they have uncovered an underground botnet-leasing network where cyber criminals can pay $5 to $100 to install malware on 1,000 PCs for things like stealing data and sending spam.

The Golden Cash network, dubbed "Your money-making machine" on its home page, sells access to botnets comprised of thousands of compromised PCs to cyber criminals for custom malware spreading jobs, according to issue 2 of the Cybercrime Intelligence Report for 2009.

Here's how it works: a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server.

In order to increase the number of botnets, the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash's control, according to the report.

Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries, the report said.

"This advanced trading platform marks a new milestone in the cybercrime evolution," Finjan said in a statement.

More technical analysis is available on Finjan's Malicious Code Research Center blog, including the fact that the command and control server is hosted in Texas, the registrant country is China and the "proxy" Web site that tunnels traffic to the command and control server is hosted in Krasnodar, Russia.

Experts have warned of serious security flaws in the Chinese government's censorship software, which could open the door to hackers creating huge botnets.

Programming errors in the Green Dam Youth Escort software, which the Chinese Ministry of Industry and Information Technology said Tuesday must be preinstalled on all new computers in the country, are at the root of the flaws, according to experts from the University of Michigan.

This message pops up on PCs when the Green Dam software spots banned phrases.

(Credit: University of Michigan)

"Once Green Dam is installed, any website the user visits can exploit these problems to take control of the computer," wrote the university's researchers. "This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet." The warning came in a paper published Thursday by researchers Scott Wolchok, Randy Yao, and J. Alex Halderman.

The Green Dam software filters content by blocking URLs and Web site images and by monitoring text in other applications. The filtering blacklists include both political and adult content.

The researchers said that after only one day of testing Green Dam, they discovered programming errors in the code used to process Web site requests. These would result in buffer overrun conditions on all computers running the software, they said.

"The code processes URLs with a fixed-length buffer, and a specially crafted URL can overrun this buffer and corrupt the execution stack," said the researchers. "Any website the user visits can redirect the browser to a page with a malicious URL and take control of the computer."

The researchers built a proof-of-concept program to demonstrate the flaw and said it would crash any computer running Green Dam.

In addition, Green Dam can be used to install any other program on a computer, via a blacklist vulnerability. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer, after installing a filter update.

Chinese government news agency Xinhua reported that Jinhui Computer System Engineering, which developed Green Dam, had said the software was not spyware. "Our software is simply not capable of spying on Internet users, it is only a filter," Jinhui is quoted as saying.

The Xinhua article did not address whether the filter itself could be used to upload spyware.

The University of Michigan researchers recommended that anybody running Green Dam uninstall the software immediately. However, according to a translation of feedback on Jinhui's user forum, teachers and educational establishments have no choice but to use the software.

"Let me say something here," wrote one teacher. "We were forced to install the software. So I have to come to this website and curse. After we installed the software, many normal websites are banned."

Currently, Green Dam is only optimized for Microsoft's Internet Explorer browser, according to leaked technical specifications posted on the Wikileaks website.

Tom Espiner of ZDNet UK reported from London.

The abstract concepts of "botnet" and "Trojan" just became a lot more concrete for me.

In less than an hour on Thursday, I was able to use programs readily available on the Internet underground for as little as $300 to infect several Windows clients and take complete control of them in a test environment.

In contrast to the real world, the McAfee Malware Experience event, which was akin to a Malware 101 class (or, in my case, Malware for Dummies), served up printed step-by-step instructions for us nonhacker journalists. But McAfee researchers said the programs used--real samples of malicious code from the wild--were not particularly sophisticated and any script kiddie could manage them easily.

First, I used a tool to infect a PC with a Sub Seven Trojan. With a few clicks it was on the client and I had remote access to everything on that machine via a so-called "back door." A management console provided an easy-to-use interface, including drop down menus with names like "Fun Manager."

Feeling mischievous I used the "flip screen" feature so that everything on the victim's PC was upside down and I changed the colors for the desktop and background to Hello Kitty hues of pink and orange. If I wanted to be nastier I could have directed the victim's browser to a URL of my choosing, turned on the client's Web cam, taken control of a chat session, printed out obscenities on the networked printer, or hidden the desktop or mouse from sight.

McAfee didn't let us save screen shots so I found this one on the Internet. It shows the interface of the Sub Seven Trojan and the "fun" things that can be done to a victim's computer with it.

(Credit: All-Interenet-Security.com)

I tested out the keystroke logger and found it to be particularly empowering and scary. It was thrilling to have so much control at my fingertips. It felt a bit like the electronic equivalent to pranks we did as kids, such as shorting the sheets and drawing on someone while the victim was sleeping. But these digital shenanigans have much more dire consequences.

Next up was creating a botnet, which would give me control over multiple zombies to do things like shut Web sites down with a denial of service attack and blanket e-mail inboxes with spam. I infected the two clients with the bot software and then created a command-and-control center on an IRC room. I then ordered up the system information from the bots, scanned their ports, and downloaded a malicious file onto the computers, as well as a keystroke logger. As they say in hacker lingo, I "pwned" the machines.

Finally, I used a program called "Shark" (also known as "Backdoor-DKG") to create a Trojan and install it on the victim clients by sending it through a Microsoft Outlook e-mail. Using a spreadsheet interface, I was able to set the functions of the Trojan, activate a keystroke logger and could have disabled antivirus software or set it to shut the system down based on certain conditions.

Following the tutorial, McAfee provided some bleak statistics to put my actions into perspective. For instance, the company's Avert Labs sees more than 400,000 new zombies a day, 4,000 new pieces of malware a day and 1.5 million malicious sites a month. There were 1.5 million pieces of unique malware last year and McAfee predicts that number will rise to 2.4 million this year.

The numbers aren't all that surprising to me now that I've seen firsthand how easy the malware is to create and use. All in all, I'd say it was a very sobering experience.

Cutwail's spam activities on Thursday as Pricewert got shut down.

(Credit: MessageLabs)

It's been almost a week since the Federal Trade Commission had the allegedly rogue Pricewert ISP shut down, and it seems like the Internet has indeed been a safer, or I should say slightly less dangerous, place.

The FTC charged that Pricewert's distribution of illegal, malicious, and harmful content and deployment of botnets that compromised thousands of computers caused substantial consumer injury and was an unfair practice, in violation of federal law.

According to Symantec, the Cutwail botnet--one of the most notorious botnets, accounting for up to 35 percent of all spam in May across the globe--experienced a major blow to its track record after the shutdown late Thursday of Internet service provider Pricewert.

Another botnet Pricewert is allegedly involved with is the Pushdo, which was also reportedly affected. Both Pushdo and Cutwail reportedly used 3FN, one of the names Pricewert did business under, as botnet control servers.

According to the data released Monday by TRACElabs, the overall spam volume index has been reduced by 15 percent since Thursday. However the day-by-day number has gradually increased.

This means a couple of things.

First, either the timing of these changes was a coincidence or Pricewert was indeed involved in this nasty business. It's important to note that the company has not yet been convicted of any wrongdoings. The first court hearing is scheduled for June 15.

Second, it's likely that the spammers will soon recover from this heavy blow as many similar companies are based outside of the U.S., where the anti-spam laws are not strictly enforced.

Nonetheless this for now looks like an apparent victory for the authorities and for all the Internet users. In terms of its long-term impact on spam, Symantec's MessageLabs Senior Anti-Spam Technologist Matt Sergeant told CNET News: "For now, we will see spam levels lower than usual, but we expected the swift comeback of Cutwail. The spammers learned that they can't put all their eggs in one basket and need to have backup command and control."

It's indeed wait and see, but so far I personally have received less spam in the last few days. How about you? Share your thoughts about this case and your recent spam experience, in the comment area below.

3FN's Website before taken down.

(Credit: Mhvt)

The Internet might just have gotten a little safer.

The Federal Trade Commission announced Thursday that it had Pricewert shut down by the U.S. District Court for the Northern District of California, San Jose Division.

Pricewert is a San Jose, Calif.-based Internet service provider that allegedly recruits, intentionally and actively participates in the distribution of spam, child pornography, and other harmful electronic content.

Generally, the commission files a complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest.

The court issued a temporary restraining order to prohibit Pricewert's illegal activities and required its upstream Internet providers and data centers to cease providing services. Pricewert is now completely off the Internet. The order also freezes Pricewert's assets.

According to the FTC's complaint, Pricewert, which does business under a variety of names including 3FN and APS Telecom, recruits and colludes with criminals seeking to distribute illegal, malicious, and harmful electronic content over the Internet. The content reportedly includes child pornography, spyware, viruses, Trojan horses, phishing, botnet command and control servers, and pornography featuring violence, bestiality, and incest.

Spam is one of the biggest online nuisances.

(Credit: Jackmedia)

Pricewert allegedly advertised its services via a forum established to facilitate communication between criminals. In addition, the company shielded its criminal clientele by either ignoring take-down requests issued by the online security community, or shifting its criminal elements to other Internet protocol addresses it controlled to evade detection, according to the FTC.

The FTC also alleges that Pricewert engaged in the deployment and operation of botnets--large networks of computers that have been compromised. Transcripts of instant-message logs filed with the district court show Pricewert's senior employees discussing the configuration of botnets with "bot herders."

In its filings with the district court, the FTC estimates that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution.

This case was brought to light with the assistance of multiple agencies and people including NASA's Office of Inspector General; the Department of Justice's Computer Crime Division; Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham; the National Center for Missing and Exploited Children; the Shadowserver Foundation; the Spamhaus Project; and Symantec.

Talking to CNET News, Vincent Weafer, vice president of Symantec Security Response, said that this crackdown, more than anything, sent a message to the bad guys that now corporations and law enforcement are more willing to work together to fight illegal online activities.

In regard to how much safer this would make the Internet, Vincent said it would take time to find out but it likely won't change much in terms of how many spams you'll receive a day, as there are many other companies like Pricewert around the world. Symantec has been working closely with law enforcement by providing intelligence via its 240,000 Internet activity sensors located in 200 countries around the world.

The court will hold a preliminary injunction hearing on June 15.

Cybercrime fighter Eugene Kaspersky can't help but be impressed by the slick operations behind the Conficker botnet, and says that it could have been worse had the botnet been after more than just money.

"They are high-end engineers who write code in a good way," Kaspersky told ZDNet.com.au Wednesday. "They use cryptographic systems in the right way, they don't make mistakes--they are really professional."

Kaspersky says he's "60 percent certain" that Conficker is being controlled from the Ukraine, but can't be certain. And while the threat posed by Conficker seems serious enough, Kaspersky says, "It could be worse. We are lucky they are just cybercriminals looking to make money and not worse than that."

The unknown threat posed by Conficker, which hit 10 million Windows machines prior to the suspected D-Day of April 1, prompted a coordinated response. Kaspersky, Symantec, Microsoft, the Internet Corporation for Assigned Names and Numbers (ICANN), and the Federal Bureau of Investigations' Cyber Division, among others, began a campaign to frustrate Conficker's attempt to download a software update.

One reason for ICANN's involvement, according to its CEO and president Paul Twomey, was that Conficker was targeting the Internet's Domain Name Service layer, which is equivalent to the address book of the Internet.

During a keynote delivered at the AusCERT 2009 conference held on the Gold Coast this week, Twomey noted the change in tack by botnet operators. "The application layer has typically been used as the attack vector, but we are beginning to see the DNS resolution used as the command and control," said Twomey.

Conficker is the current darling of the Internet's dark side, preceded by others such as Storm, and spam-machine McColo. But all botnets maintain an edge over their various opponents: they are centrally controlled, "located" potentially anywhere, generally don't rely on third-parties, and are free of regulations.

Botnet operators in Russia, however, have started to cooperate with each other, according to Dmitry Levashev and Ruslan Stoyanov, network security experts from Russian ISP RTComm.ru. At the AusCERT 2009 conference, via a translator, the two gave a sobering account of what lies ahead for Australia in the next three years.

"The different botnets work in cooperation. One would say, 'I'm just a bot herder, I don't care about money laundering.' Or 'I do fraud, we just do our own task.' So, one is doing spam, like advertising services, and another is doing money laundering. It's like a manufacturing business," they said.

Indeed it appears to have occurred when Conficker adopted the Waldec virus, previously used by the Storm botnet as a mechanism to self-propagate.

Meanwhile, the group working to frustrate Conficker's attempt to complete a software upgrade on April Fools' Day fought to coordinate themselves. While ICANN was responsible for coordinating Top Level Domains, Microsoft pushed out patches to non-pirated versions of Windows.

Kaspersky says of his company's role that they had found Conficker was using an algorithm to generate random URLs that it would target in order to download updates to its malware.

"The worm used an algorithm which generated a list of domains. Every day it produced a new list. It looked for these URLs, and if they were online, the worm was designed to download upgrades form the URL. The initial version of the 10 million machine botnet would just wait and download. That's why we were really scared on April Fools' Day. We didn't know what was going to happen."

The group was able to exploit that algorithm and second guess the URLs that would be targeted, and block requests to those URLs. But, says Kaspersky, it was only partially successful.

"We blocked all the URL names which the worm was going to generate. It's an algorithm, so we generated all these URLs and registered these domain names, except ones which were already owned by someone. And because of that--the domain names not owned by those in this process--the Conficker authors managed to take control of one of these domains and upgraded the worm. That was scary," he said.

ICANN's Twomey insisted the group's efforts against Conficker proved that key Internet players, such as Top Level Domain registrants, are capable of coordinating a response to such threats. Still, the Conficker response was the exception and not the rule.

It wasn't the first time a botnet operator has attempted to compromise DNS servers to magnify its capacity to add to its army.

At an ICANN conference held in Mexico in March this year, Rod Rasmussen, chief technology officer of phishing take-down firm Internet Identity, showed evidence of a recent nine-hour attack on CheckFree, an online bill payment provider to 22 U.S. financial institutions, which resulted in a two-day shut-down of affected online services and an estimated 10,000 infections over 48 hours.

"Somebody came in and took over the CheckFree's domain name portfolio at their registrar. They changed the DNS servers for those domains and pointed...basically every host name that would resolve under their domain names to a malware server that was in the Ukraine. Anybody who tried to go to CheckFree.com or any of their other domain names were redirected, instead, to a malware server and were exposed to getting malware download on their computer," Rasmussen said.

In a similar vein to the attack on CheckFree, hackers targeted MelbourneIT's New Zealand subsidiary, Domainz. The hackers, who appeared to be politically motivated, defaced Coca-Cola, Microsoft, Xerox, and F-Secure's Web sites by injecting name server records for the domains in question by compromising Domainz' infrastructure. It didn't knock out critical national infrastructure, but it was able to take down several large companies' websites for a few days.

Kaspersky says, "It's a major example of their Internet weapon, because the bad guys can use a botnet this size, not just for commercial interests, but other interest also."

He insists, "I don't admire them" yet there is an undeniable sense of respect he conveys.

Originally published at ZDNet Australia.