Home Tags Posts tagged with "botnet"


According to experts, millions of servers use software vulnerable to Shellshock bug, which lets attackers run commands on that system.

Up to now, a series of attacks on websites and servers using the serious Shellshock bug has been spotted

So far, thousands of servers have been compromised via Shellshock and some have been used to bombard web firms with data, said experts.

The number of attacks and compromises was likely to grow as the code used to exploit the bug was shared.

The Shellshock bug was discovered in a tool known as Bash that is widely used by the Unix operating system and many of its variants, including Linux open source software and Apple’s OSX.

Apple said it was working on a fix for its operating system and added that most users would not be at risk from Shellshock.

Millions of servers use software vulnerable to Shellshock bug, which lets attackers run commands on that system

Millions of servers use software vulnerable to Shellshock bug, which lets attackers run commands on that system

Attackers have been spotted creating networks of compromised machines, known as botnets, that were then put to other uses.

One group used their Shellshock botnet to bombard machines run by Akamai with huge amounts of junk data to try to knock them offline. Another group used its botnet to scan for more machines that are vulnerable.

Evidence of the scanning and attacks came from honeypots run by security companies. These are computers that have been set up to look vulnerable but which catch information about attackers.

The US and Canada are believed to have issued alerts and told technology staff to patch systems as quickly as possible. Amazon, Google, Akamai and many other tech firms have also issued advisories to customers about the bug.

As well as software patches for vulnerable systems, security firms and researchers are also producing signatures and filter lists to help spot attacks based around it.

[youtube MkEBexRxE_g 650]

The FBI and Microsoft have broken up Citadel botnet, a huge network of hijacked home computers responsible for stealing more than $500 million from bank accounts.

The Citadel network had remotely installed a keylogging program on about five million machines to steal data.

About 1,000 of the 1,400 or so networks that made up the Citadel botnet are believed to have been shut down.

Co-ordinated action in 80 countries by police forces, tech firms and banking bodies helped to disrupt the network.

“The bad guys will feel the punch in the gut,” Richard Boscovich, a spokesman for Microsoft’s digital crimes unit said.

The cybercriminals behind Citadel cashed in by using login and password details for online bank accounts stolen from compromised computers.

This method was used to steal cash from a huge number of banks including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.

Citadel emerged after core computer code for a widely used cybercrime kit, called Zeus, was released online.

FBI and Microsoft have broken up Citadel botnet

FBI and Microsoft have broken up Citadel botnet

Underground coders banded together to turn that code into a separate cybercrime toolkit that quickly proved popular with many malicious hackers.

In a blogpost detailing its action, Microsoft said Citadel had also grown because malicious code that could take over a PC had been bundled in with pirated versions of Windows.

The millions of PCs in the criminal network were spread around the globe, but were most heavily concentrated in North America, Western Europe, Hong Kong, India and Australia.

Despite the widespread action, which involved seizures of servers that co-ordinated the running of Citadel, the identity of the botnet’s main controller is unknown.

However, Microsoft has started a “John Doe” lawsuit against the anonymous controller, believing him to use the nickname Aquabox and be based in Eastern Europe.

In addition, the FBI is working with Europol and police forces in many other countries to track down and identify the 81 “lieutenants” that helped Aquabox keep Citadel running.

Microsoft has also started action to help people clean up an infected computer.

Typically, it said, machines compromised by Citadel were blocked from getting security updates to ensure those computers stayed part of the botnet.

With the network disrupted, machines should be free to get updates and purge the Citadel malware from their system.

Botnet miners, or cyber-thieves, are attempting to cash in on the rising value of the bitcoin virtual currency.

Bitcoins have almost tripled in value in a month. In late February one bitcoin was worth $33 but now each one sells for about $90.

Thieves who run networks of hijacked PCs are increasingly using these machines to create or “mine” the coins.

However, bitcoin miners say thieves will struggle to keep up, as coin-generating technology becomes more sophisticated.

Botnet miners, or cyber-thieves, are attempting to cash in on the rising value of the bitcoin virtual currency

Botnet miners, or cyber-thieves, are attempting to cash in on the rising value of the bitcoin virtual currency

As a virtual currency, bitcoins depend on a wide network of closely connected computers to log who holds the coins and where they are spent.

That network also shares information about who is “mining” the coins.

Mining involves solving a hard mathematical problem and miners typically use large numbers of computers to speed up the number crunching involved.

“Botnet mining is fundamentally theft of private property, illegal and unethical,” said Jeff Garzik, a bitcoin developer, adding that bitcoin miners had battled botnets for years, seeing them as a “cost and a burden” they just had to deal with.

Many cyber-thieves who control botnets, large networks of home PCs compromised with a virus, were using them as a dedicated mining pool in a bid to generate bitcoins for themselves, said Derek Manky, senior security strategist at Fortinet.

The operators of one of the biggest current botnets, known as ZeroAccess, had recently ramped up their efforts to use machines they control to mine bitcoins, he said, adding that millions of infected PCs were unwittingly enrolled in the criminal network.

“ZeroAccess has employed an affiliate model,” he said.

“They pay other people to install malware for them.”

The operators of ZeroAccess were making so much money that they were paying high prices for each infection. Current rates ran at about $100 for every 1,000 infections, said Derek Manky.

As well as mining bitcoins, PCs enrolled in ZeroAccess were also being used to poison search results – to cause users to unwittingly click on booby-trapped web pages – or fraudulently click on adverts to generate revenue.

“ZeroAccess has been extremely profitable,” said Derek Manky.

The wider bitcoin community was aware of the efforts botnet owners were making to produce their own cash, said Derek Manky.

“They try to detect and remove these transactions but it’s a bit of a cat and mouse game,” he said.

“The operators of ZeroAccess know about that and just change their tactics.”

However, said Jeff Garzik, criminal participation in bitcoin mining was likely to get much less profitable as professional miners turned away from using desktop PCs to generate the coins.

Increasingly, he said, professional miners were using custom-made chips, called Asics (Application-Specific Integrated Circuits), to mine because such processors worked faster.

“It is theorized that the current shift in bitcoin mining to <<Asic>> miners – the fastest and most advanced generation – will simply make it unprofitable for botnet miners,” said Jeff Garzik.

Vitalik Buterin, technical editor at Bitcoin Magazine, said the rise of Asic mining meant cyber-thieves would soon be pushed out.

Currently only about one-third of all professional miners were using Asics, but as that proportion grew, the number of bitcoins that could be generated with a botnet would shrink, said Vitalik Buterin.

“The fact that botnets are (somewhat) viable now is basically an aberration resulting from the massive price increase that has not yet been matched by increased mining activity,” he said.

 “Once Bitcoin stabilizes again the botnets will rapidly crawl back into the shadows.”

[youtube 7fvSYT7vhQY]

Dr. Web, a Russian anti-virus firm, has reported that more than half a million Apple computers have been infected with the Flashback Trojan.

The report claims that about 600,000 Macs have installed the malware – potentially allowing them to be hijacked and used as a “botnet”.

Dr. Web says that more than half that number are based in the US.

Apple has released a security update, but users who have not installed the patch remain exposed.

Flashback Trojan was first detected last September when anti-virus researchers flagged up software masquerading itself as a Flash Player update. Once downloaded it deactivated some of the computer’s security software.

Later versions of the malware exploited weaknesses in the Java programming language to allow the code to be installed from bogus sites without the user’s permission.

Dr. Web has reported that more than half a million Apple computers have been infected with the Flashback Trojan

Dr. Web has reported that more than half a million Apple computers have been infected with the Flashback Trojan

Dr. Web said that once the Trojan was installed it sent a message to the intruder’s control server with a unique ID to identify the infected machine.

“By introducing the code criminals are potentially able to control the machine,” said the firm’s chief executive Boris Sharov.

“We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals’ hands. However, we know people create viruses to get money.

“The largest amounts of bots – based on the IP addresses we identified – are in the US, Canada, UK and Australia, so it appears to have targeted English-speaking people.”

Dr. Web also notes that 274 of the infected computers it detected appeared to be located in Cupertino, California – home to Apple’s headquarters.

Java’s developer, Oracle, issued a fix to the vulnerability on 14 February, but this did not work on Macintoshes as Apple manages Java updates to its computers.

Apple released its own “security update” on Wednesday – more than eight weeks later. It can be triggered by clicking on the software update icon in the computer’s system preferences panel.

The security firm F-Secure has also posted detailed instructions about how to confirm if a machine is infected and how to remove the Trojan.

Although Apple’s system software limits the actions its computers can take without requesting their users’ permission, some security analysts suggest this latest incident highlights the fact that the machines are not invulnerable.

“People used to say that Apple computers, unlike Windows PCs, can’t ever be infected – but it’s a myth,” said Timur Tsoriev, an analyst at Kaspersky Lab.

Apple could not provide a statement at this time.