There's a new botnet in town, and this one has the potential to trump Conficker, says security firm Netwitness, which discovered the botnet. According to Netwitness, the Kneber botnet has already infected more than 74,000 macnines worldwide.
Netwitness describes Kneber as a ZeuS Trojan botnet, and more than half of the systems infected also have the Waledac Trojan, the same worm that was used to create email spam botnets assoicated with Conficker. But unlike Conficker, whose dastardly deeds have yet to be revealed, Netwitness says Kneber has been designed to target and steal login credentials and other private information.
Kneber has been found in 196 countries so far, but is most prominent in Egypt, Mexico, Saudi Arabia, Turkey, and the U.S. It targets Windows machines, most of which include Windows XP Professional SP2, and most of which reside in corporate and government infrastructures.
According to Netwitness, Kneber has nabbed some 68,000 login credentials in the past 4 weeks.
It didn't take long for hackers to take advantage of a potentially dangerous exploit affecting jailbroken iPhones. The vulnerability first gained notoriety earlier this month when a hacker from the Netherlands took control of modified iPhones and sent the owners an SMS requesting a fee for instructions on how to protect thier device. He later backed down and posted the fix for free, but by then, the cat was out of the bag.
Fast forward a few weeks and we now have the first malicious worm making the rounds on jailbroken iPhones and iPod touch devices. According to reports, the worm uses command--and-control like a traditional PC botnet. it configures two startup scripts, one of which is used to execute the malicious worm during boot, and the other to make a connection to a Lithuanian server in order to upload stolen data and hand over control to the bot master.
The worm works by changing the root password from the default of "alpnie" that Apple put in place in the factory firmware. It attacks IP ranges from a wider range of ISPs, including UPC, Optus, and T-Mobile.
The recommended fix is to restore jailbroken iPhones to the current Apple-supplied firmware.
Trend Micro has issued a warning that the Koobface botnet has begun pushing out a new component capable of automatically registering a Facebook account and confirming an email address in Gmail to activate the fake persona. Once Koobface becomes part of the social network's community, it begins randomly joining Facebook groups, adding friends, and posting messages to people's walls.
"Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook," says Trend Micro. "All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered."
That's pretty wild, and it's done using Internet Explorer to create and register the account, according to Trend Micro. But what's interesting is that the Koobnet botnet halts its dastardly deed if the affected user is kicking it old school with IE6.
So how do you avoid being duped by a fake friend? You could become a loner, but that might get, well, lonely. Common sense applies - be sure you know who it is you're adding. And as usual, be wary of clicking on links. Trend Micro says the messages posted through Facebook's wall contain a link that leads to the fake Facebook or YouTube page hosting the Koobface loader component.
Security firm FireEye has reportedly struck a massive blow against spam. The so called “Mega-D” or “Ozdok” spam botnet was effectively dismantled by these intrepid security researchers. After studying the beast, FireEye launched an attack by notifying ISPs, having command and control (CnC) domains removed, and then registering unused CnC domains.
Almost immediately, the spam ceased. No small feat, considering Ozdok was probably responsible for one third of the world’s spam. This takes the load off ISPs which were forced to filter the spam from this botnet. Individual users probably won’t notice much difference.
FireEye found that over 246,000 zombie machines were reporting to the CnC domains in their possession after the takedown. The security firm plans to work with ISPs to indentify the owners of the PCs so they may remove the malicious software.
Human ingenuity is endlessly fascinating. Offer a guy a penny to do a task, and he’ll turn you down, no matter how simple. But give him a computer and let him write some code that will do it automatically, and he’ll take you to the cleaners.
Botnets, those pesky little creatures that perform automatic tasks, are not only becoming more commonplace, they are becoming more sophisticated. These nasty little beasties are now being used in ever more cunning ways to suck income out of unsuspecting advertisers and search engines through click fraud. According to Click Forensics, botnets accounted for 42.6% of all click fraud in the 3rd quarter of 2009--a near double increase over the same period in 2008.
You have to admire the ingenuity. One botnet, “Bahama,” carefully mimics natural searches to make them look real, and hence harder to detect. The botnet’s name comes from it redirecting traffic through some 200,000 parked domains in the Bahamas. Ultimately, the origins of the botnet was traced to the Ukrainian Fan Club, known as “online fraudsters,” and most likely comprised of guys hygienically unable to date.
Most botnet activity comes from outside the United States: the United Kingdom, Vietnam, and Germany being the top three. Germany and Vietnam I can understand, but the United Kingdom? I’ve been there. They aren’t that clever. They put a lemon wedge in a Corona.
Scientists at Sandia National Laboratories in Livermore have setup a supercomputing cluster of over 1 million Linux kernels as virtual machines. They did so in hopes of better understanding how botnets operate.
"The sheer size of the Internet makes it very difficult to understand in even a limited way," said Ron Minnich, one of the researchers. "Many phenomena occurring on the Internet are poorly understood, because we lack the ability to model it adequately. By running actual operating system instances to represent nodes on the Internet, we will be able not just to simulate the functioning of the Internet at the network level, but to emulate Internet functionality."
Making the project possible, Sandia utilized its Albuquerque-based 4,480-node Dell high-performance computer cluster, known as Thunderbird. it took 250 virtual machines coupled with the physical units in Thunderbird to run the over one million Linux kernels. And this is just the beginning.
"It has been estimated that we will need 100 million CPUs by 2018 in order to build a computer that will run at the speeds we want," said Minnich.
You knew it would happen sooner or later, we're just a little surprised it took this long for hackers to release a botnet running on mobile phones. According to Symantec, a piece of malicious software called Sexy Space may be the first documented case.
Like most botnets, Sexy Space relies on quite a bit of user interaction to be effective. Those who ultimately become a zombie in the botnet first receive a text message saying "A very sexy girl, Try it now!" Inside the message is a link that must be clicked, which then asks the potential victim to download software. The software then scours through the user's contact list and sends an SMS with the same message to each person.
Symantec says that this particular botnet is being controlled by a central server, but it remains unclear whether or not the phones respond to remote commands.
We're undoubtedly preaching to the choir on this one, but be wary of any rogue text messages, especially when they ask you to click a link and download software.