White hats bust history’s biggest botnet

Security white hats have coordinated with law enforcement in a five year effort to torpedo a criminal botnet that enslaved some 4 million computers.

Researchers hostexploit.com’s Jart Armin and others from Team Cymru, SpamHous, Symantec and Trend Micro joined the FBI, NASA’s Office of Inspector General, Estonian police, and the Dutch National Police Agency and gathered intelligence on the monster DNS Changer botnet.

The researchers, under the title of the DNS Changer Working Group, led to the destruction of a sophisticated money-making Estonian business behind the botnet.

Their intelligence gathering predated 2005 and crossed dozens of countries, leading to the arrest of several Estonian business people and the disconnection of more than 100 command and control servers from US data centres.

The botnet consisted of infected machines which had browser Domain Name Server (DNS) settings changed to point to US-based command and control servers operated by a criminal business.

It generated cash by switching web advertisements on victim browsers, hijacking search results and installing malware. The ad revenue alone generated some $14 million in illicit fees.

A anonymous FBI agent described the botnet and the business behind it as having “a level of complexity that we haven’t seen before”.

On November 8, the FBI and Estonian police took down the botnet using evidence supplied by the private industry.

Two data centres were raided in New York and Chicago. An Internet Systems Consortium support officer for BIND was on hand to hot swap the botnet servers of which the 4 million victim machines relied on.

“He got on a plane upstate and replaced them with legitimate DNS,” Trend Micro and a key coordinator Paul Ferguson said. This move was required because infected computers that pointed to the DNS servers could have lost internet connectivity.

“[The new servers] began recording IP addresses of infected machines contacting them.”

Those logs provided a hit list of DNS Changer victims which will be supplied to local telcos who will contact each infected subscriber to help them reconfigure DNS settings and remove malware. The data will be compiled until mid next year under a court appointed custodial role given to the ICS.

“Fixing DNS settings could be tricky. You can’t just make an application tool for everyone,” Ferguson said

A common danger unites even the bitterest enemies

Online criminals can expect to face a stronger alliance of white hats and law enforcement.

Companies say the crime-fighting effort is unhindered by rivalry. Top researchers at Symantec and Trend Micro – rival companies that fight in an already saturated anti-virus market – say they ignore “marketing stuff” and work together to take down criminals.

Ferguson says they hold regular conference calls and share intelligence over closed community mailing lists.

“There are members of academia, ISPs, law enforcement working on these operations,” he said. “The mailing lists operate 24/7 … I work daily with researchers at Symantec – we leave the marketing out of it and work together because the bad guys do”.

In the lead up to the take down of the DNS Changer botnet, participating white hats held conference calls up to twice a week to ensure that the four million victims of the botnet would not lose internet connection when the DNS servers were pulled.

Ferguson said he aims to meet each of the white hats in person before working on a case: “I like to meet them in person over a beer at conference … nothing substitutes.”

Symantec’s managing director Craig Scroggie said the industry relied on such cooperation to help protect users who, after all, were their customers.

“It is an established practice,” Scroggie said. “If someone finds malware that another has not seen, they share it.”

He said the agreements were a formal process, adding that the security community has a common interest in combating and sharing information about online crime.

New Trojan Epidemic Hits Mac Users

Mac OS X users have been targeted with a new computer Trojan horse with the intention of captivating systems for launch of mass denial-of-service (DDoS) attacks, as reported by the Internet Security firm, Sophos at msnbc.msn on October 26, 2011.

According to Sophos, the newly dubbed malware OSX/Tsunami-A, functions by embedding itself to the host system and then waiting to receive further instructions from a remote Internet Relay Chat (IRC) channel. Sophos however claims that the name Tsunami Trojan is attained due to its goal towards forcing infected computers into becoming part of a compromised network that further launches DDoS attacks trafficking websites so massively that they are unable to function properly.

While throwing light on the new Trojan, Graham Cluley, Senior Technology Consultant at Sophos said that DDoS is not just a tool. As seen by the portion of OSX/Tsunami’s source code, a lot of instructions can be given to the script. At the same time, it can also be used for accessing an infected computer, as reported by tgdaily on October 26, 2011.

Now, as a matter of fact, it is quite tricky as to find the way in which the code finds itself on the Mac. It is possible that a cyber crook plants it on the system to access it remotely and launch DDoS attacks. It is however, possible that the victim itself volunteers for participating in an organized attack on a website.

According to Robert Lipovsky, a Malware Researcher at ESET, Tsunami seems to be consequential from an old backdoor Trojan dating back to 2002, designed with an intention to infect Linux systems, as reported by eweek on October 27, 2011.

The security firm, ESET also highlighted that the Trojan appears to be rotating quite quickly as evident from it being discovered on the first instance itself on October 27, 2011.

However, the security experts are apprehensive towards witnessing cyber criminals targeting unsafe Mac computers in the future as well.

Finally, 2011 has been a milestone year for Mac malware. The hugely successful Mac-based malware outbreak came to fore on May 2011 and a huge increase in the spread of Mac malware has also been noticed by security researchers.

World’s Most Sophisticated Rootkit Is Being Overhauled

Experts from security vendor ESET warn that TDL4, one of the most sophisticated pieces of malware in the world, is being rewritten and improved for increased resilience to antivirus detection.

“ESET researchers have been tracking the TDL4 botnet for a long time, and now we have noticed a new phase in its evolution,” announced David Harley, the company’s director of malware intelligence.

“Based on the analysis of its components we can say that some of those components have been rewritten from scratch (kernel-mode driver, user-mode payload) while some (specifically, some bootkit components) remain the same as in the previous versions,” he noted. (See also “Is Your PC Bot-Infested? Here’s How to Tell.”)

Harley and his colleagues believe this suggests a major change within the TDL development team or the transition of its business model toward a crimeware toolkit that can be licensed to other cybercriminals.

TDL, also known as TDSS, is a family of rootkits characterized by complex and innovative detection evasion techniques. Back in July, malware analysts from Kaspersky Lab called TDL version 4 the most sophisticated threat in the world and estimated that the number of computers infected with it exceeds 4.5 million.

There are many things that make TDL4 stand out from the crowd of rootkits currently plaguing the Internet. Its ability to infect 64-bit Windows systems, its use of the public Kad peer-to-peer network for command purposes and its Master Boot Record (MBR) safeguard component are just some of them.

However, according to ESET’s researchers, changes are now being made to the way TDL4 infects systems and ensures its hold on them. Instead of storing components within the MBR, the new variants create a hidden partition at the end of the hard disk and set it as active.

This ensures that malicious code stored on it, including a special boot loader, gets executed before the actual operating system, and that the MBR code checked by antivirus programs for unauthorized modifications remains untouched.

The TDL4 authors have also developed an advanced file system for the rogue partition, which allows the rootkit to check the integrity of components stored within.

“The malware is able to detect corruption of the files stored in the hidden file system by calculating its CRC32 checksum and comparing it with the value stored in the file header. In the event that a file is corrupted it is removed from the file system,” the ESET researchers explain.

In April, Microsoft released a Windows update that modified systems to disrupt the TDL4 infection cycle. The rootkit’s authors responded half a month later with an update of their own that bypassed the patch.

This kind of determination to keep the malware going suggests that its return on investment is significant. The code quality and the sophisticated techniques are certainly indicative of professional software development.

Several antivirus vendors like Kaspersky, BitDefender or AVAST, offer free stand-alone tools that can remove TDSS and similar rootkits. However, in order to avoid getting infected in the first place users should install an antivirus solution that provides advanced layers of protection, like those analyzing software behavior.

Peer-to-peer update makes ZeuS botnets harder to take down

A new strain of the ZeuS crimeware toolkit comes with a peer-to-peer design that lets infected machines bypass centralized servers when receiving updates and marching orders from operators, a researcher said.

The update to a custom-built ZeuS variant known as Murofet could make it harder for white-hat hackers and law-enforcement agents to disrupt botnets by eliminating centralized command and control servers they infiltrate or shut down, said the the researcher with Zeus Tracker, which monitors botnet communications. The researcher, who asked that his name not be included in this article, recently counted machines from more than 100,000 unique IP addresses infected by the custom build.

Zombies under the control of Murofet come with an initial list of IP addresses to query. They send UDP packets to those destinations over high-numbered ports and wait for fellow bots to respond with additional addresses that are also a part of the p2p network.

If the remote node is running a more recent version of the bot software, it then updates the other machine using a TCP connection. The p2p feature was added around the same time the malware scaled back its reliance on a domain generation algorithm, that allowed bots to connect to custom-registered domain names on specific dates.

The new capability gives the ZeuS offshoot p2p capabilities similar to those that Waledac, TDL-4, and other botnets have boasted for years. With the many other advanced features offered by ZeuS, it’s surprising it didn’t add it years ago.

The new architecture means Murofet no longer uses a static URL to download binary updates and configuration files, and that’s likely to make the job of some researchers harder. But despite the new design, the ZeuS malware remains vulnerable, because it still relies on a central domain and falls back on the domain generation algorithm in the event connections to the main command server and p2p drones is lost.

“Its not impossible to track it, but its more difficult than before,” the researcher told The Register over instant messenger. “I would say it makes tracking of ZeuS just more complicated but its not *the new super trojan*.”

Teenage ‘LulzSec hacker’ accused of attacking websites is banned from seeing his girlfriend alone

On the face of it, teenager Ryan Cleary appears the archetypal computer geek who retreated from the real world into a digital one.

When he was charged with hacking into the website of the Serious Organised Crime Agency, observers branded him a recluse who needed to ‘get a girlfriend’.

But he was already dating Amy Chapman, 19, – and now a judge has refused his request to see her alone.

Suspect: Alleged computer hacker Ryan Cleary, 19, asked for his bail conditions to be altered so he can date his girlfriend without someone watching over himSuspect: Alleged computer hacker Ryan Cleary, 19, asked for his bail conditions to be altered so he can date his girlfriend without someone watching over him

The Aspergers sufferer is said to be a key member of the computer hacking network LulzSec, which has been blamed for attacks on the Serious Organised Crime Agency, the CIA, Sony and News International.

He is alleged to have controlled a ‘botnet’ of up to half a million compromised computers which he used to launch ‘denial of service’ attacks against websites.

He was charged in June and bail conditions imposed in court stipulate that he can only leave his home address with a parent.

Addressing London’s Southwark Crown Court, his defence barrister Ben Cooper asked for this to be changed so Cleary could see Miss Chapman without his parents being present.

Refusing the application, Judge Nicholas Loraine-Smith said: ‘I will not consider making a variation until the police have interviewed her and that they are satisfied that she is responsible enough to take on the duty.’


Cleary and fellow alleged LulzSec member Jake Davis, 18, were not required to attend the hearing.

Davis is said to have operated from his bedroom in the Shetland Islands and used the online name Topiary.

The judge issued a stark warning to both defendants to comply with their bail conditions as he fixed their plea and case management hearing for January 27, 2012.

‘First of all bail has to be on the same stringent terms for both of these defendants and I reiterate, as I did to one of them who has appeared before me, that if they breach any of these conditions they can be arrested and brought before the court and almost certainly remanded in custody,’ he said.

Cleary, of South Beech Avenue, Wickford, Essex, is charged with five offences under the Computer Misuse and Criminal Law Acts.


He is alleged to have taken part in a denial of service attack – which cripple websites by overwhelming them with requests for data – that briefly brought down SOCA’s site.

Cleary is also accused of involvement in two similar attacks on the websites of both the International Federation of the Phonographic Industry and its British counterpart on November 28 and October 29 respectively.

A further charge alleges that he ‘made, adapted, supplied or offered to supply’ access to a ‘botnet’ – a network of computers, hijacked without their owners’ knowledge – for use in the attacks.

Each of the three charges relating to DoS attacks carry a maximum jail sentence of 10 years, while the botnet charge could result in up to two years imprisonment.

Davis, of Hoofields, Lerwick, Shetland, is alleged to have played a leading role in LulzSec, a group that was said to have been disbanded after being linked to attacks on a number of high-profile sites.

He is charged with gaining unauthorised access to a computer system, encouraging or assisting offences and two counts of conspiracy to commit offences.

He also faces a charge of conspiring to carry out a distributed denial of service attack – where a website is flooded with traffic to make it crash – on the Serious and Organised Crime Agency website.

Anonymous defaces BART site, leaks user data

Anonymous has apparently made good on a promise to wreak havoc on the Web site of the Bay Area Rapid Transit System today, although not exactly as planned.

Earlier, the amorphous collective had threatened to take Bart.gov offline for six hours today, or twice the amount of time BART managers took cell phone service offline at some BART stations Thursday night in order to head off a planned protest then. The distributed denial of service (DDoS) attack was supposed to begin at noon pacific time, according to a release from Anonymous.

As of 30 minutes past noon, the BART site was still online but running a little slow and with one notable change to the mybart.org Web site, which currently displays the Anonymous logo as seen below.

MyBart.org was still defaced as of 12:35 PM Pacific time on Sunday.

(Credit: Screen capture by Eric Mack/CNET)

As screen captures of the defacement began rocketing around Twitter, news came that Anonymous hackers had also accessed and posted online a database of mybart.org with user e-mails and some addresses and phone numbers.

Shortly after the mybart.org defacement, a more elaborate mark was left on californiaavoid.org, a Web site maintained by the California Office of Traffic Safety. The #opBART Facebook page claims the defacements are part of Anonymous’ protest effort against BART.

Californiaavoid.org as of 12:40 PM Pacific on Sunday.

For a brief period, BART posted two news releases on its Web site, one advising customers that its Web site could be attacked and go offline Sunday afternoon, another warning of possible interruptions to train service due to Anonymous’ planned peaceful, in-person protest during Monday evening’s rush hour. As of this writing, both releases are no longer visible, and BART.gov remains online almost an hour after Anonymous planned to take it down for the remainder of the afternoon.

Turkish Government Sites Targeted by Anonymous

Hacker group Anonymous said on Thursday it has launched DDoS (distributed denial of service) attacks on some Turkish government websites, in protest against government plans to introduce Internet filtering.

The move comes a few days before Turkey holds parliamentary elections on Sunday.

By late Thursday, the site of Telekomünikasyon İletişim Başkanlığ, the Internet regulator that drew up the filtering plan, was not accessible.

In launching the DDoS attacks, Anonymous may have run into opposition from hacker groups in Turkey who threatened to hack Anonymous sites, according to reports. Anonymous’ news site, for example, was not accessible late Thursday. The group did not respond to an e-mailed request for comment.

Turkey’s Information Department was also not immediately available for comment.

Turks are protesting against new Internet rules that comes into effect from Aug. 22, and will require users to choose one of four filters before accessing the Internet.

In a petition on Avaaz.org, an online forum for mobilizing support for a cause, petitioners called on Turkey’s Information and Communication Technologies Authority, which is commonly known as BTK, to withdraw any regulations that include mandatory content filtering for Internet users in Turkey, and immediately reverse the new “Rules and Procedures on the Safe Use of the Internet”.

In a statement online, Anonymous said that the Turkish government is taking censorship to a new level. The new filtering systems will make it possible to keep records of everyone’s Internet activity, it added.

On Twitter, Anonymous said on Thursday that four sites in Turkey were inaccessible. But two of them, that of the country’s meteorological service and the ministry of national education, appeared to be up and running at time of writing.

Anonymous hacked earlier this week a the site of an Indian government IT organization in protest against corruption, and government action against anti-corruption protesters.

Understanding the Modern DDoS Threat

The breadth of cyber threats that an organization must engage with and combat seemingly change on a daily basis. Each new technology, vulnerability or exploit vector results in a new threat that must be protected against. Meanwhile some forms of attack never appear to age — they remain a threat to business continuity despite years of advances in defensive strategy. One particularly insidious and never-ending threat is that of the Distributed Denial of Service (DDoS) attack.

Never far from the news headlines, DDoS attacks are the staple disruptive technique preferred by an increasingly broad spectrum of attackers. While they may be the oldest and most commonly encountered form of cyber attack, defenses against them are often non-trivial and even the best tried-and-tested protection can fail under a sufficiently well conceived attack.

In order to best understand the threat modern DDoS campaigns pose to enterprise networks and the businesses that depend upon them, I’ve pulled together a new whitepaper on the topic.

The paper “Understanding the Modern DDoS Threat” examines the technology, coordination tactics and motivations behind the DDoS attacks likely to pose a risk to Internet accessible businesses now and in the immediate future. It steps through the thought processes governing the primary instigators of the attacks and their tactics of choice.

Armed with this level of understanding, the folks charged with defending their organizations from the DDoS menace will be better able to mitigate the threat and effectively communicate its impact to the higher echelons of their organization.

Change.Org Victim of DDoS Attack From China

IDG News Service — Change.org, an online petitioning platform, has come under an ongoing distributed denial of service (DDoS) attack originating from China after the site hosted a call urging Chinese authorities to release artist Ai Weiwei from custody.

The attacks, which started late Sunday, have nearly brought down the site, according to Change.org founder Ben Rattray.

DDoS attacks work by using hundreds or thousands of hacked computers to send traffic to a website, overwhelming it with data so it becomes inaccessible to normal users.

Change.org said the current attack originates from an expanding group of computers primarily based in China, and has yet to stop. This is the first time the site has been hit with a DDoS attack.

Change.org has been hosting a online petition calling for the release of Chinese artist Ai Weiwei, who is currently under arrest. The petition has attracted almost 100,000 people from 175 countries, making it one of Change.org’s most successful international campaigns, Rattray said.

“It’s pretty clear the attack is in response to the campaign,” he added. “It’s extraordinary that somebody in China with a high-level of technical sophistication can impact the ability for people around the world to organize.”

The online call coincided with demonstrations across the world this past Sunday, which also called for the artist’s release. Ai, who is also known for his activism, has been detained as part of a Chinese government crackdown on political dissidents in the country.

Authorities in the country have arrested other human rights activists and clamped down on the information flow, following previous online postings that began in February calling for a “Jasmine revolution” against the Chinese government.

Change.org is currently blocked in China. Internet censors in the country regularly block sites that are deemed to politically sensitive.

Despite the block, the computers involved in the DDoS attack are managing to find a way around the country’s national Internet firewall, said Rattray.

In the past, other sites have been the victims of cyber attacks coming from China. This March, blog publishing platform WordPress.com also reported being hit with a DDoS attack originating from China.

Chinese hackers have also allegedly launched cyber attacks to steal data from foreign energy accompanies, according to security vendor McAfee (MFE). In 2009, Google (GOOG) was also the victim of an attack originating from China that was aimed at accessing the Gmail accounts of human rights activists

The Chinese government has previously responded to these reports by denying it is involved in any cyberattacks, adding that China has also been a victim of hacking attempts.

The true source of DDoS attacks is often unclear. Although Change.org has traced the current attack to servers in China, it is also possible the computers are under the control of hackers based in another country.

Change.org reports that both the FBI and U.S. State Department are looking into the DDoS attack.

“We won’t stop or take down anything because of this DDoS attack,” Rattray said. “We believe in the fundamental right of the people to organize around issues they care about it.”

Cybercriminals Target Russian News and Online Blogging Sites

Recently, Russian news and online blogging websites – Novaya Gazeta and LiveJournal suffered distributed denial-of-service (DDoS) attacks.


PRLog (Press Release)Apr 11, 2011 – Websites are targeted to gain unauthorized access to confidential information, disrupt services or lodge protest against information provided on those sites. Recently, Russian media and blog sites suffered massive cyber-attack. The latest attack targeted the website of popular newspaper Novaya Gazeta. Attackers purportedly launched distributed denial-of-service (DDoS) attacks. At its peak, the attack caused 70,000 requests to the website of Novaya Gazeta in 14 seconds. Information security professionals have restored the services of the website. The attack on the newspaper website follows a similar attack on LiveJournal, one of the most popular Russian blogging sites. According to an analysis by Kaspersky Lab, the DDoS attack on the popular blogging site was commanded by Optima/Darkness botnet. The attack was first directed on the blog of a well-known anti-corruption campaigner on LiveJournal. The attacks soon spread to the pages of other bloggers on the site. According to the Internet security firm, Optima botnet was first identified at the end of the previous year on the Russian cybercrime black market. The botnet is also notorious for downloading executable files, and stealing authentication information related to FTP clients, Instant Messengers (IM), e-mail clients and web browsers among others. Online technology degree programs, webinars and conferences may help IT professionals in updating their technical skills and know-how for proactive handling of sophisticated cyber threats.

In case of DDoS attacks, cybercriminals use several compromised computers to target a particular resource. Multitudes of requests are sent simultaneously to the targeted resource, making it virtually impossible for the resource to deliver normal services to the legitimate users. Cybercriminals compromise large number of vulnerable systems and install malicious software, without user’s knowledge. The compromised systems, called zombies are then instructed to attack to the targeted resource. By using the zombies to launch attack, the perpetrators of crime make it difficult for investigative authorities to trace the actual origin of the attack. Cyber security education through blogs, online tutorials, online computer degree programs may help in creating awareness on safe online computing practices among Internet users. Users must install and regularly update anti-malware programs to safeguard their computer systems against sophisticated cyber threats.

Both the sites offer platform for expression of alternative opinions on crucial issues. The attacks on these sites assume significance as the elections for ‘State Duma’, the Lower house of the Russian Parliament are scheduled to be held at the end of the year.   DDoS attacks on business websites may severely impact their productivity and result in losses. Administrators must regularly monitor the traffic to identify unusual activity. They may also configure data traffic limits. Professionals qualified in IT masters degree may help in implementing proper monitoring mechanisms and regular evaluation of networks for threat vectors. Organizations must have robust IT security policy in place. Regulations only provide for the minimum security requirements. Therefore, IT security must not be viewed as only a compliance activity. Organizations must be proactive in identification and mitigation of security flaws. IT security apparatus must be regularly evaluated and modernized in tune with changes in threat scenario.